82 FR 7825 - Fifth Generation Wireless Network and Device Security
FEDERAL COMMUNICATIONS COMMISSION Federal Register Volume 82, Issue 13 (January 23, 2017)
Federal Register Volume 82, Issue 13 (January 23, 2017)
| Page Range | 7825-7830 | |
| FR Document | 2017-01325 |
[Federal Register Volume 82, Number 13 (Monday, January 23, 2017)] [Notices] [Pages 7825-7830] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-01325] ======================================================================= ----------------------------------------------------------------------- FEDERAL COMMUNICATIONS COMMISSION [PS Docket No. 16-353; DA16-1282] Fifth Generation Wireless Network and Device Security AGENCY: Federal Communications Commission. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: In this document, the Commission seeks comment on new security issues that implementation of the fifth generation (5G) wireless network and device security presents to the general public, and on the current state of planning to address these issues. The inquiry, focusing on cybersecurity for 5G, raises fundamental questions about scope and responsibilities for such security. The goal of this proceeding is to begin a conversation on the state of 5G wireless network and device security and to foster a dialogue on the best methods for ensuring that the 5G wireless networks and devices used by service providers in their [[Page 7826]] operations are secure from the beginning. DATES: Comments are due on or before April 24, 2017; reply comments are due on or before May 23, 2017. ADDRESSES: You may submit comments, identified by PS Docket No. 16-353, by any of the following methods:Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions comments. Federal Communications Commission's Web site: http://fjallfoss.fcc.gov/ecfs2/. Follow the instructions for submitting comments. Mail: Filings can be sent by hand or messenger delivery, by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail. All filings must be addressed to the Commission's Secretary, Office of the Secretary, Federal Communications Commission. People with Disabilities: Contact the FCC to request reasonable accommodations (accessible format documents, sign language interpreters, CART, etc.) by email: [email protected] or phone: (202) 418- 0530 or TTY: (202) 418-0432. For detailed instructions for submitting comments and additional information on the rulemaking process, see the SUPPLEMENTARY INFORMATION section of this document. FOR FURTHER INFORMATION CONTACT: For further information, contact Gregory Intoccia of the Public Safety and Homeland Security Bureau, Communications Cybersecurity and Reliability Division, at (202) 418- 1470 or at [email protected]. SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Notice of Inquiry, DA 16-1282, adopted and released on December 16, 2016. The full text is available for public inspection and copying during regular business hours in the FCC Reference Center, Federal Communications Commission, 445 12th Street SW., Room CY-A257, Washington, DC 20554. This document will also be available via ECFS at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db1216/DA-16-1282A1.pdf. Documents will be available electronically in ASCII, Microsoft Word, and/or Adobe Acrobat. The complete text may be purchased from the Commission's copy contractor, 445 12th Street SW., Roomy CY-B402, Washington, DC 20554. Alternative formats are available for people with disabilities (Braille, large print, electronic files, audio format), by sending an email to [email protected] or calling the Commission's Consumer and Governmental Affairs Bureau at (202) 418-0530 (voice), (202) 481-0432 (TTY). Synopsis I. Introduction and Background 1. Fifth generation (5G) wireless technologies represent the next evolutionary step in wireless communications. These networks promise to enable or support a diverse range of new applications, and will provide for a vast array of user requirements, traffic types, and connected devices. 5G communications technology could be particularly useful in enabling the growing number of high-capacity networks necessary for transformative business and consumer services, as well as backhaul, and communications related to the ``Internet of Things'' (IoT) technology. 2. 5G has the potential to be an enormous driver of economic activity. It is a national priority to foster an environment in which 5G can be developed and deployed across the country. That means both ensuring that networks are secure and that the regulatory obligations are measured. The Federal Communications Commission (FCC) has an opportunity at this stage to ensure that these new technologies and networks are secure by design. Therefore, while the FCC is moving quickly to make the spectrum needed for 5G available in the near term, it is also seeking to accelerate the dialogue around the critical importance of the early incorporation of cybersecurity protections in 5G networks, services, and devices. 3. In its July 2016 Spectrum Frontiers Report and Order, the FCC reiterated its view that communications providers are generally in the best position to evaluate and address security risks to network operations. Toward this end, the FCC adopted a rule requiring Upper Microwave Flexible Use Service licensees to submit general statements of their network security plans. The statements are designed to encourage licensees to consider security in their new 5G networks. The Public Safety and Homeland Security Bureau (PSHSB) issues this Notice of Inquiry (NOI) to seek input on the new issues raised by 5G security in order to foster dialogue between relevant standards bodies and prospective 5G providers on the best methods for ensuring that networks and devices are secure from the beginning. 4. PSHSB intends this inquiry to complement the important work on cybersecurity that is already taking place within the government and private sector. The FCC, these other groups, and the wireless industry all have a significant interest in ensuring that these new networks consider security risk and mitigation techniques from the outset. This NOI, and the record it seeks to develop, will help in that effort. 5. PSHSB recognizes that the inquiry, focusing on cybersecurity for 5G, raises fundamental questions relative to scope and responsibilities. Security of network infrastructure, such as protecting software and hardware that are essential to signaling and control of Radio Access Networks and to ensure the proper operation of the network, creates one perspective. Another perspective, however, is the end-to-end security of both the network and the devices that connect to commercial network services. Devices and other network elements may be furnished by the service provider, third parties, and consumers themselves. Who should be responsible for cyber protections for a device, or should responsibility be shared in some recognizable manner across the 5G ecosystem? PSHSB also appreciates that 5G is not apt to be a separate network, but rather will be integrated with existing previous generation networks, perhaps indefinitely. Do questions about the cyber protections of 5G networks inherently implicate the other networks associated with them? Where should the lines between networks be drawn relative to responsibility for 5G cybersecurity? II. Inquiry 6. This NOI looks holistically at the security implications arising through the provision of a wide variety of services to various market sectors and users in the future 5G network environment. The NOI also explores 5G security threats, solutions, and best practices. As used in this NOI, ``security'' and ``information security'' refer to protecting data, networks, and systems from unauthorized access, use, disclosure, disruption, modification, or destruction, in order to protect confidentiality, integrity, and availability with respect to such networks, systems, and defined user communities. The terms ``confidentiality,'' ``integrity,'' and ``availability,'' or ``CIA,'' are meant to refer to those three interrelated, and dynamic principles (``that collectively guide security practices and illustrate the various considerations that must be applied when developing a security posture for communications technologies and services. Confidentiality'' refers to protecting data from unauthorized access and [[Page 7827]] disclosure. ``Integrity'' refers to protecting data from unauthorized modification or destruction, both at rest and in transit. Finally, ``availability'' refers to whether a network provides timely, reliable access to data and information services for authorized users. All three of these principles are fundamental to any security framework and are dynamically interrelated, and thus no particular principle should be addressed in isolation if 5G security is to be achieved. 7. As an initial matter, the NOI seeks to understand the current state of security planning for 5G networks. Please comment on the current efforts across industry to study 5G security, develop security protocols and solutions, and triage 5G security issues when they arise. How are equipment developers considering security in the design of 5G equipment? How are service providers considering security in the planning of 5G networks and ensuring end-to-end security where 5G technology is integrated with prior generation technology in heterogeneous networks? How can the FCC support and enhance this work? What known vulnerabilities require increased study? How should 5G differ in terms of cybersecurity needs from its widely-deployed predecessor generation, 4G LTE? What cybersecurity lessons can be learned from 4G deployment and operational experience that are applicable to the 5G security environment? What should be different, if anything, between LTE pre-5G deployment and post-5G deployment? 8. The Commission encourages commenters to consider this common thread throughout the NOI: how can the FCC, working together with other stakeholders, ensure the rapid deployment of secure 5G networks, services, and technologies? A. Protecting Confidentiality, Integrity, and Availability 9. The FCC seeks to promote 5G security through a ``security-by- design'' approach to 5G development. The NOI seeks comment on the premise that, by utilizing the ``confidentiality,'' ``integrity,'' and ``availability'' (CIA) principles, a firm may avoid or mitigate 5G network and device data security risk through strong, adaptive, protections against unauthorized use, disclosure, and access. What are the benefits and limitation of a security-by-design approach and of employing CIA principles? 10. Please comment on how the CIA principles are being considered for 5G networks, systems, and devices. In particular, the NOI examines below how CIA principles are being taken into consideration with respect to authentication, encryption, physical security, device security, protecting 5G networks from cyber attacks, patch management, and risk segmentation of networks. This is a non-exclusive list, and comment is requested on other areas that are potential vulnerabilities for 5G. 1. Authentication 11. Preserving the confidentiality and integrity of networks, systems, and data depends on limiting access to authorized users. This is typically accomplished through effective, and sometimes mutual, authentication. Mutual authentication generally requires that both entities involved in a transaction verify each other's identity at the same time. The NOI seeks comment on the use of authentication in networks today and whether existing authentication practices will be applicable to the 5G environment. The NOI further seeks comment on the effective use of mutual authentication, in particular, for protecting 5G networks against unauthorized access and end-user devices against attaching to malicious network components, as well as the perceived limitations and drawbacks of those uses. Are there specific considerations that would apply to 5G devices? Under what circumstances would mutual authentication be considered essential to ensure or bolster security? Are there any circumstances where mutual authentication would not be beneficial? If a communications provider did not invest in mutual authentication, how would that likely affect its relative overall security risk? What other authentications methodologies might be effective for 5G security? Would the mass deployment of high-volume, low-cost 5G devices in IoT networks present particular authentication challenges? How can providers effectively authenticate the communications of high-volume, low-cost 5G devices-- device to device, device to network, and network to device? How can providers effectively address these challenges? Would it be appropriate for 5G architects to consider identity credentialing and access management, in addition to authentication? 2. Encryption 12. Encryption can be an important aspect of protecting confidentiality, integrity and availability in communications environments. The NOI seeks comment on the planned deployment and use of encryption to promote 5G security, as well as on the perceived challenges, costs, and benefits of encryption at both the network and device levels. 13. Please comment on whether currently available encryption protocols are effective in securing devices and are likely to be effective in a 5G environment in which innumerable, low-cost devices are expected to operate, as well as ways that 5G participants can address encryption key management and distribution mechanism challenges. Additionally comment is requested on stakeholder responsibilities with respect to objective encryption key management for 5G. 14. Please also comment on whether encryption is necessary for all 5G communications, and whether the decisions made by the 3rd Generation Partnership Project (3GPP) standards body that resulted in non- encryption for such systems are rooted in increased latency, degraded performance due to added signaling or computational requirements, an interest in minimizing changes to LTE standards as 5G is standardized, or other factors. Please comment on what lessons, if any, can be learned from the underlying rationale of these decisions as they pertain to encryption for 5G communications. 15. Finally, the NOI seeks comment on whether 5G service providers should distinguish between the application of encryption to products that would operate primarily on the 5G control plane and those that would be part of the user plane. If such a distinction is desirable, how should such a distinction be made? 3. Physical Security 16. Physical security aims to protect networks and critical components of end-user devices, even where those devices are in the possession of unauthorized users. Please comment on physical security objectives and needs in the 5G environment, and on any other considerations the FCC should take into account in its examination of physical security of 5G networks and devices. 17. What device- and network-based physical security methods would be most effective if applied to 5G devices? To what extent does lack of physical security pose a threat to, or introduce risk from unsupervised 5G devices? To what extent does lack of physical security pose a threat to, or introduce risk from unsupervised 5G devices? Will the 5G environment present any new or unique challenges? What other issues and factors should the FCC consider on the question of preserving confidentiality, integrity and availability through physical security? [[Page 7828]] 18. What aspects or uses of 5G networks should be considered ``mission critical'' and, as such, do they warrant special consideration with respect to physical security? What ``mission critical'' activities distinguish these networks and how can they be physically secured in the 5G environment? Should certain 5G networks be physically diverse at the network level as a result of the ``mission- critical'' aspects they support or enable? If so, how should that diversity be achieved? 4. Device Security 19. Ensuring the provision of confidentiality, integrity, and availability requires that devices are secure and capable of authenticating on the network. What methodologies will be used to protect the variety of devices connected to 5G networks? Is current SIM technology robust enough to ensure security without posing threats to consumers, service providers, or the underlying infrastructure? Will SIM technology be leveraged for 5G? Do standards for next generation SIM cards effectively address security and integrity concerns? What new security benefits or challenges are created by the use of eSIMs? Are there non-SIM methods that should be considered for high-volume, low- cost devices, and if so, are standards bodies currently developing standards for such methods? What other issues and factors should the FCC consider on the question of preserving CIA through device security? 5. Protecting 5G Networks From DoS and DDoS Attacks 20. A security exploit that targets network resources, such as a Denial-of-Service (DoS) or Distributed Denial of Service (DDoS) attack, could have an impact on availability of service by causing a total or partial disruption of service. The NOI seeks comment and supporting data on the mechanisms most likely to be effective at preserving confidentiality, integrity and availability through mitigation of DoS and DDoS attack risks in the planned 5G environment, including techniques for protecting both the network control and data planes. Which methods of defense against DoS and DDoS attacks are the most cost-effective? 21. Please comment on whether additional standards are needed to assist in mitigating DoS and DDoS attacks. What anti-spoofing technologies are most likely to be effective in the 5G environment, and what are the challenges to their deployment? 6. Patch Management 22. For more than a decade, communications security authorities and expert bodies, such as the FCC's Federal Advisory Committee for communications security policy development The FCC seeks comment and supporting data on patch management's role as part of a service provider's overall security risk management strategy in the 5G environment. 23. Please also comment on which 5G network elements can be successfully maintained by service providers through patch management. There are generally four types of patches that are pushed to devices with service provider involvement: (1) Patches from service providers to their own infrastructure; (2) patches service providers require and push on to subscriber devices; (3) patches to third-party infrastructure that are leased by service providers but owned by a third party; (4) patches to subscriber devices that are sent by device manufactures under the direction of service providers. For each type of patch, please comment on processes that service providers and mobile device manufacturers should adopt to sustain an effective patch management program in the 5G environment. How do service providers and mobile device manufacturers routinely make themselves aware of new vulnerabilities that need to be patched? How soon after a vulnerability is discovered is the corresponding patch pushed to devices? What other mechanisms might preclude unauthenticated code from running on 5G devices that are connected to their networks? 24. Please comment on how 5G service providers and equipment manufacturers can ensure that critical security software updates are installed on their subscriber devices in a timely fashion. How can 5G service providers effectively ensure firmware and software patch management related to security through their customer relationships? How common is it for manufacturers or service providers to rely on consumers to become aware of and install patches to their software and/ or hardware? What do 5G service providers plan to do to help ensure that a subscriber's devices remain ``patchable'' and/or ``discoverable'' for purposes of device updates? How can consumers determine whether an older device or service, no longer being sold at retail, is still receiving security-related patches and whether it is still safe to use? 25. Finally, please comment on whether relevant standards have been produced that present a common approach, or describe a best practice, to facilitate patch management procedures that can be applied regardless of the underlying device operating system in a 5G ecosystem. In the absence of any deployed standard, should this effort be explored, and if so, which standards body or forum would be the best candidate to address this issue? What other issues and factors should the FCC consider on the question of preserving CIA through patch management? 7. Risk Segmentation 26. Risk segmentation involves splitting network elements into separate components to help isolate security breaches and minimize overall risk. Risk segmentation or network slicing might allow greater resiliency, more effective cyber threat monitoring and analysis and stronger security for network service supporting critical infrastructure communications (to include ICS and SCADA). Please comment on the use of segmentation in 5G networks and how segmentation can reduce risk in such networks. 27. Please provide comments and supporting data on ways that segmentation could be achieved throughout the 5G ecosystem to ensure service providers have greater situational awareness and ability to respond to, and contain, security threats. What lessons have service providers and other enterprises learned about the application of segmentation in older networks that can be applied to 5G networks? To what extent can service providers use network segmentation technologies, such as a virtual private network (VPN) or other cryptographic separation, to help ensure that no device operating on their network's control plane is directly and immediately accessible via the Internet? Could VPNs or a similar mechanism be scaled in such a way that 5G providers could implement segmentation across their entire ecosystem? Please comment on the technologies used for network segmentation, and on how to ensure that future networks employing these new architectures use security-by-design principles to minimize security risk. 28. Should segmentation in the 5G environment be based on geography or region, on type of function or device, or by community of interest? To what extent are service providers segmenting physical, logical and virtual risks? Please comment on what 5G service providers plan to do to establish logical and physical separation of different bands and/or receive antennas in order to improve integrated device security. [[Page 7829]] 29. Please comment on whether certain network elements or activities merit special consideration with respect to risk segmentation. To what extent are such segmentation strategies effective in reducing security risk? 30. Risk segmentation can also be applied to devices in terms of firmware, software, and data. In some cases, configuration data may be set as read-only by the device, but can only be changed by the service provider. Please comment on whether privacy features and requirements have been standardized in organizations like 3GPP (and to what extent they will be standardized for 5G) to support confidentiality and integrity of information. What other issues and factors should the FCC consider on the question of preserving CIA through segmentation? 31. Finally, with respect to each of the topics discussed above, the FCC seeks information regarding which standards bodies are involved and the state of standards development to protect CIA in the 5G environment. Is there a need for additional standards body involvement? B. Additional 5G Security Considerations 1. Overview 32. It is widely expected that 5G networks will be used to connect the myriad devices, sensors and other elements that will form the Internet of Things (IoT). The anticipated diversity and complexity of these networks, how they interconnect, and the sheer number of discrete elements they will comprise raise concerns about the effective management of cyber threats. How can holistic security objectives for 5G be established? What roles can service providers and device manufacturers play to reduce security risk for various communities of interest? How should service providers, device manufacturers, standards bodies and the FCC coordinate their efforts? Are there particular standards being developed for 5G IoT applications? Finally, please comment on benefits and costs associated with effective hardware, firmware, software, and application security for 5G. 33. Please provide comments on the extent to which IoT devices could place 5G networks at unique risk. For example, are there particular vulnerabilities that arise from, or are increased by, the fact that 5G communications have relatively short range and rely on multiple access points? It is possible that some of IoT devices will have limited security features. Could this have a negative effect on overall 5G network security? If so, what roles can network equipment providers, ISPs and device manufacturers play, by themselves and in coordination, to mitigate the risks? Are any lessons being learned from the October 2016 DDoS attacks relevant to 5G? Where risk externalities exist? How will the 5G marketplace address cybersecurity risk in the commons? 34. Please comment on whether and how security needs for 5G IoT devices might differ from other infrastructures, including, in particular, each of the critical infrastructure sectors. What expectations would various critical infrastructure sectors likely have for the security capabilities and features of 5G services? Does the government have a role where residual risk unduly threatens critical infrastructure or national security, and if so, what should it be? 35. Given the likely unprecedented diversity of connected devices and their manufacturers, comment is sought on whether 5G security could be challenged by hardware issues, including threats from a compromised supply chain. How are service providers and equipment manufacturers currently assessing supply chain risks? Are they assessing risks consistent with NIST guidelines? The FCC seeks comment on whether, and if so, how 5G service providers should ensure the provenance of the hardware, firmware, software, and applications operating in their environments. What special considerations, if any, should be applied relative to 5G supply chain risks? 36. Please comment on benefits and costs associated with effective hardware, firmware, software, and application security for 5G. What are the costs associated with updating existing hardware, firmware, software, and applications versus the costs of adding entirely new elements for a totally new security posture? Is there a role for 5G- specific third party security entities? Do benefits and costs vary depending on the use of open-source software compared to proprietary software? What are the costs of adding security-specific features to 5G network hardware, firmware, software and applications? Are there scale economies observed across local, regional, and nationwide 5G networks? Finally, what other issues or factors should the FCC consider with respect to the preservation of confidentiality, integrity and availability in the 5G environment? 2. Roles and Responsibilities 37. Because of the anticipated proliferation of 5G networks and the devices that will be deployed on them, there is a chance that the cyber integrity of the network as a whole could be overlooked on the assumption that another network participant would be responsible. Is this a valid concern? Please provide comments on who should be responsible for assuring cyber security across the 5G ecosystem, what principles should guide the management of cyber risk, and how cyber risk should be managed within companies. How should providers work together across the 5G ecosystem to achieve desirable outcomes in cyber risk management? 38. Relatedly, please provide information on how the 5G ecosystem will share information about cyber threats and concerns. Please comment on whether an Information Sharing and Analysis Organization (ISAO) construct could be or should be applied to the 5G ecosystem. Would it be appropriate to develop a 5G-specific ISAO? Should 5G networks be instrumented to support automated cybersecurity threat indicators and network anomaly information sharing and analysis? Is an ISAO or multiple ISAOs the right focal point for automated cyber information sharing and analysis? Should it address IoT concerns more broadly or focus on network-based considerations? Who should be involved? Should work of ISAOs dealing with related topics be formally coordinated? If so, how? What are the proper roles of standards bodies, advisory committees such as the North American Numbering Council (NANC), industry authorities, numbering and data services and the FCC? 39. The NIST Framework for Improving Critical Infrastructure Cybersecurity Framework (NIST CSF) has been voluntarily used by members of the critical infrastructure community, including the communications sector, for several years to help manage cybersecurity risk. Please comment on whether, and if so how, the NIST CSF can be used to manage risk for 5G service providers and networks. The NIST CSF includes several top level organizational functions that can be performed concurrently and continuously to form an operational culture that addresses dynamic security risk, namely, Identify, Detect, Protect, Respond, and Recover (IPDRR). Please comment on unique factors with respect to these functions that should guide 5G design, standards development and operations. 3. Other Considerations 40. Are there additional functions that should be considered in the 5G environment? How should addressing [[Page 7830]] and naming be accommodated for 5G? Are stakeholders working to evolve any of today's numbering schemas to encompass 5G? What practical steps should 5G planners take in order to ensure that the functions discussed in this NOI, and any other relevant functions, are properly considered and implemented within their respective organizations? 4. Benefits and Costs 41. Please comment on the public harm expected to result from failure to integrate confidentiality, integrity and availability into 5G networks through authentication, encryption, physical and device security, protecting against DoS attacks, patch management and risk segmentation. Could failure to implement these measures decrease broadband adoption and detract from its productive economic use? Could it reduce the risk of loss of competitively sensitive information for businesses? Could it prevent the loss of consumers' personally identifiable information? Could it play a role in preventing the unnecessary loss of life or property by, for example, preventing malicious intrusion into critical infrastructure? How should the FCC quantify these benefits in terms of their economic impact? What other benefits would likely stem from an appropriately secure 5G network? 42. Please comment on the costs associated with the implementation of the measures discussed above as investments early in the design and build plans of networks, as opposed to ``bolt-on'' security after deployment. Are there opportunities for 5G implementation that would only be realized if networks are perceived to be secure? Are there some security elements that, by plan, should be ``just in time'' or reactive investments, based on realized threats, after 5G implementation? Would these costs include those associated with updating existing hardware, firmware, software, and applications? How would the costs of system updates compare to the costs of adding entirely new elements for a totally new security posture? Do benefits and costs vary depending on the use of open-source software compared to proprietary software? If so, to what extent are open-source solutions available that could reduce costs? Are there scale economies observed across local, regional and nationwide 5G networks? Please comment on specific costs associated with authentication, encryption, physical and device security, protecting against DDoS attacks, patch management and risk segmentation in the 5G environment. C. 5G Implications for Public Safety 43. Many public safety services and technologies are undergoing radical change as underlying networks transition from legacy to IP- based modes. Will any new categories of public safety sensors or other machine-based tools become an included part of 5G public safety communications architecture? The development of 5G networks will potentially contribute new capabilities to these IP-based public safety platforms while also creating new challenges, including security challenges, for public safety entities. 44. Please comment on the security implications of linking or integrating 5G networks with IP-based public safety communications platforms. Could this create new security risks or vulnerabilities for NG911, first responder communications, or emergency alerting? What responsibility should 5G service providers have for mitigating and managing these risks? Conversely, could 5G networks help reduce security risks that public safety faces in migrating from legacy to IP- based technologies? Could 5G services support ICAM in a manner that reduces these security risks? Should public safety anticipate a need for unmanned, unattended device ICAM? Are there special considerations for standards development for public safety services and technologies for 5G, and if so, are standards bodies addressing these issues? Is there a need for additional standards body involvement? III. Procedural Matters A. Ex Parte Rules 45. This proceeding shall be treated as a ``permit-but-disclose'' proceeding in accordance with the Commission's ex parte rules. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter's written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission's ex parte rules. Federal Communications Commission. David Grey Simpson, Chief, Public Safety & Homeland Security Bureau. [FR Doc. 2017-01325 Filed 1-19-17; 8:45 am] BILLING CODE 6712-01-P
![Federal Register / Vol. 82, No. 13 / Monday, January 23, 2017 / Notices 7825
ACTION: Notice. and information to enable it to: (i) Congress along with GPRA information
Evaluate whether the proposed from other EPA programs.
SUMMARY: The Environmental Protection collection of information is necessary Form Numbers: None.
Agency is planning to submit an for the proper performance of the Respondents/affected entities: Entities
information collection request (ICR), functions of the Agency, including potentially affected by this action are
‘‘National Estuary Program (Renewal)’’ whether the information will have those state or local agencies or
(EPA ICR No. 1500.08, OMB Control No. practical utility; (ii) evaluate the nongovernmental organizations in the
2040–0138) to the Office of Management accuracy of the Agency’s estimate of the National Estuary Program (NEP) who
and Budget (OMB) for review and burden of the proposed collection of receive grants under Section 320 of the
approval in accordance with the information, including the validity of Clean Water Act.
Paperwork Reduction Act. Before doing the methodology and assumptions used; Respondent’s obligation to respond:
so, EPA is soliciting public comments (iii) enhance the quality, utility, and Required to obtain or retain a benefit
on specific aspects of the proposed clarity of the information to be (Section 320 of the Clean Water Act).
information collection as described collected; and (iv) minimize the burden Estimated number of respondents: 28
below. This is a proposed extension of of the collection of information on those (total).
the ICR, which is currently approved who are to respond, including through Frequency of response: Annual.
through June 30, 2017. An Agency may the use of appropriate automated Total estimated burden: 5,460 hours
not conduct or sponsor and a person is electronic, mechanical, or other (per year). Burden is defined at 5 CFR
not required to respond to a collection technological collection techniques or 1320.03(b).
of information unless it displays a other forms of information technology, Total estimated cost: $247,338 (per
currently valid OMB control number. e.g., permitting electronic submission of year), includes $0 annualized capital or
DATES: Comments must be submitted on responses. EPA will consider the operation & maintenance costs.
or before March 24, 2017. comments received and amend the ICR Changes in Estimates: There will
ADDRESSES: Submit your comments, as appropriate. The final ICR package likely be an increase in the total
referencing Docket ID No. EPA–HQ– will then be submitted to OMB for estimated respondent burden compared
OW–2006–0369, online using review and approval. At that time, EPA with the ICR currently approved by
www.regulations.gov (our preferred will issue another Federal Register OMB. This increase is due to program
method), by email to OW-Docket@ notice to announce the submission of evaluations taking place in the next
epa.gov, or by mail to: EPA Docket the ICR to OMB and the opportunity to three years, compared to only two years
Center, Environmental Protection submit additional comments to OMB. in the currently approved ICR. Note that
Agency, Mail Code 28221T, 1200 Abstract: The National Estuary these numbers will be updated in the
Pennsylvania Ave. NW., Washington, Program (NEP) involves collecting final FR Notice.
DC 20460. information from the state or local
Dated: January 12, 2017.
EPA’s policy is that all comments agency or nongovernmental
organizations that receive funds under Marcus Zobrist,
received will be included in the public Acting Director, Oceans and Coastal
docket without change including any Sec. 320 of the Clean Water Act (CWA).
The regulation requiring this Protection Division.
personal information provided, unless [FR Doc. 2017–01422 Filed 1–19–17; 8:45 am]
the comment includes profanity, threats, information is found at 40 CFR part 35.
Prospective grant recipients seek BILLING CODE 6560–50–P
information claimed to be Confidential
funding to develop or oversee and
Business Information (CBI) or other
coordinate implementation of
information whose disclosure is
Comprehensive Conservation FEDERAL COMMUNICATIONS
restricted by statute.
Management Plans (CCMPs) for COMMISSION
FOR FURTHER INFORMATION CONTACT: estuaries of national significance. In
Vince Bacalan, Oceans and Coastal [PS Docket No. 16–353; DA16–1282]
order to receive funds, grantees must
Protection Division, Office of Wetlands, submit an annual workplan to EPA
Oceans, and Watersheds, (Mail Code Fifth Generation Wireless Network and
which are used to track performance of Device Security
4504T), Environmental Protection each of the 28 estuary programs
Agency, 1200 Pennsylvania Ave. NW., currently in the NEP. EPA provides AGENCY: Federal Communications
Washington, DC 20460; telephone funding to NEPs to support long-term Commission.
number: 202–566–0930; fax number: implementation of CCMPs if such ACTION: Notice.
202–566–1336; email address: programs pass a program evaluation
bacalan.vince@epa.gov. process. The primary purpose of the SUMMARY: In this document, the
SUPPLEMENTARY INFORMATION: program evaluation process is to help Commission seeks comment on new
Supporting documents which explain in EPA determine whether the 28 programs security issues that implementation of
detail the information that the EPA will included in the National Estuary the fifth generation (5G) wireless
be collecting are available in the public Program (NEP) are making adequate network and device security presents to
docket for this ICR. The docket can be progress implementing their CCMPs and the general public, and on the current
viewed online at www.regulations.gov therefore merit continued funding under state of planning to address these issues.
or in person at the EPA Docket Center, Sec. 320 of the Clean Water Act. EPA The inquiry, focusing on cybersecurity
WJC West, Room 3334, 1301 also requests that each of the 28 NEPs for 5G, raises fundamental questions
Constitution Ave. NW., Washington, receiving Sec. 320 funds report about scope and responsibilities for
mstockstill on DSK3G9T082PROD with NOTICES
DC. The telephone number for the information that can be used in the such security. The goal of this
Docket Center is 202–566–1744. For GPRA reporting process. This reporting proceeding is to begin a conversation on
additional information about EPA’s is done on an annual basis and is used the state of 5G wireless network and
public docket, visit http://www.epa.gov/ to show environmental results that are device security and to foster a dialogue
dockets. being achieved within the overall on the best methods for ensuring that
Pursuant to section 3506(c)(2)(A) of National Estuary Program. This the 5G wireless networks and devices
the PRA, EPA is soliciting comments information is ultimately submitted to used by service providers in their
VerDate Sep<11>2014 19:02 Jan 19, 2017 Jkt 241001 PO 00000 Frm 00043 Fmt 4703 Sfmt 4703 E:\FR\FM\23JAN1.SGM 23JAN1](https://thefederalregister.org/doc/82_FR_7838/page/1.svg)
![7830 Federal Register / Vol. 82, No. 13 / Monday, January 23, 2017 / Notices
and naming be accommodated for 5G? C. 5G Implications for Public Safety may provide citations to such data or
Are stakeholders working to evolve any 43. Many public safety services and arguments in his or her prior comments,
of today’s numbering schemas to technologies are undergoing radical memoranda, or other filings (specifying
encompass 5G? What practical steps change as underlying networks the relevant page and/or paragraph
should 5G planners take in order to transition from legacy to IP-based numbers where such data or arguments
ensure that the functions discussed in modes. Will any new categories of can be found) in lieu of summarizing
this NOI, and any other relevant public safety sensors or other machine- them in the memorandum. Documents
functions, are properly considered and based tools become an included part of shown or given to Commission staff
implemented within their respective 5G public safety communications during ex parte meetings are deemed to
organizations? architecture? The development of 5G be written ex parte presentations and
4. Benefits and Costs networks will potentially contribute must be filed consistent with rule
new capabilities to these IP-based 1.1206(b). In proceedings governed by
41. Please comment on the public rule 1.49(f) or for which the
public safety platforms while also
harm expected to result from failure to Commission has made available a
creating new challenges, including
integrate confidentiality, integrity and method of electronic filing, written ex
security challenges, for public safety
availability into 5G networks through parte presentations and memoranda
entities.
authentication, encryption, physical and 44. Please comment on the security summarizing oral ex parte
device security, protecting against DoS implications of linking or integrating 5G presentations, and all attachments
attacks, patch management and risk networks with IP-based public safety thereto, must be filed through the
segmentation. Could failure to communications platforms. Could this electronic comment filing system
implement these measures decrease create new security risks or available for that proceeding, and must
broadband adoption and detract from its vulnerabilities for NG911, first be filed in their native format (e.g., .doc,
productive economic use? Could it responder communications, or .xml, .ppt, searchable .pdf). Participants
reduce the risk of loss of competitively emergency alerting? What responsibility in this proceeding should familiarize
sensitive information for businesses? should 5G service providers have for themselves with the Commission’s ex
Could it prevent the loss of consumers’ mitigating and managing these risks? parte rules.
personally identifiable information? Conversely, could 5G networks help
Could it play a role in preventing the Federal Communications Commission.
reduce security risks that public safety David Grey Simpson,
unnecessary loss of life or property by, faces in migrating from legacy to IP-
for example, preventing malicious based technologies? Could 5G services
Chief, Public Safety & Homeland Security
intrusion into critical infrastructure? Bureau.
support ICAM in a manner that reduces
How should the FCC quantify these these security risks? Should public [FR Doc. 2017–01325 Filed 1–19–17; 8:45 am]
benefits in terms of their economic safety anticipate a need for unmanned, BILLING CODE 6712–01–P
impact? What other benefits would unattended device ICAM? Are there
likely stem from an appropriately secure special considerations for standards
5G network? development for public safety services FEDERAL DEPOSIT INSURANCE
42. Please comment on the costs CORPORATION
and technologies for 5G, and if so, are
associated with the implementation of
standards bodies addressing these
the measures discussed above as Sunshine Act Meeting
issues? Is there a need for additional
investments early in the design and
build plans of networks, as opposed to standards body involvement? Pursuant to the provisions of the
‘‘bolt-on’’ security after deployment. Are III. Procedural Matters ‘‘Government in the Sunshine Act’’ (5
there opportunities for 5G U.S.C. 552b), notice is hereby given that
A. Ex Parte Rules at 10:01 a.m. on Wednesday, January 18,
implementation that would only be
realized if networks are perceived to be 45. This proceeding shall be treated as 2017, the Board of Directors of the
secure? Are there some security a ‘‘permit-but-disclose’’ proceeding in Federal Deposit Insurance Corporation
elements that, by plan, should be ‘‘just accordance with the Commission’s ex met in closed session to consider
in time’’ or reactive investments, based parte rules. Persons making ex parte matters related to the Corporation’s
on realized threats, after 5G presentations must file a copy of any supervision, corporate, and resolution
implementation? Would these costs written presentation or a memorandum activities.
include those associated with updating summarizing any oral presentation In calling the meeting, the Board
existing hardware, firmware, software, within two business days after the determined, on motion of Vice
and applications? How would the costs presentation (unless a different deadline Chairman Thomas M. Hoenig, seconded
of system updates compare to the costs applicable to the Sunshine period by Director Thomas J. Curry
of adding entirely new elements for a applies). Persons making oral ex parte (Comptroller of the Currency),
totally new security posture? Do presentations are reminded that concurred in by Director Richard
benefits and costs vary depending on memoranda summarizing the Cordray (Director, Consumer Financial
the use of open-source software presentation must (1) list all persons Protection Bureau), and Chairman
compared to proprietary software? If so, attending or otherwise participating in Martin J. Gruenberg, that Corporation
to what extent are open-source solutions the meeting at which the ex parte business required its consideration of
available that could reduce costs? Are presentation was made, and (2) the matters which were to be the subject
there scale economies observed across summarize all data presented and of this meeting on less than seven days’
mstockstill on DSK3G9T082PROD with NOTICES
local, regional and nationwide 5G arguments made during the notice to the public; that no earlier
networks? Please comment on specific presentation. If the presentation notice of the meeting was practicable;
costs associated with authentication, consisted in whole or in part of the that the public interest did not require
encryption, physical and device presentation of data or arguments consideration of the matters in a
security, protecting against DDoS already reflected in the presenter’s meeting open to public observation; and
attacks, patch management and risk written comments, memoranda or other that the matters could be considered in
segmentation in the 5G environment. filings in the proceeding, the presenter a closed meeting by authority of
VerDate Sep<11>2014 19:02 Jan 19, 2017 Jkt 241001 PO 00000 Frm 00048 Fmt 4703 Sfmt 4703 E:\FR\FM\23JAN1.SGM 23JAN1](https://thefederalregister.org/doc/82_FR_7838/page/6.svg)
Document Created: 2017-01-20 01:30:22
Document Modified: 2017-01-20 01:30:22
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice. | |
| Dates | Comments are due on or before April 24, 2017; reply comments are due on or before May 23, 2017. | |
| Contact | For further information, contact Gregory Intoccia of the Public Safety and Homeland Security Bureau, Communications Cybersecurity and Reliability Division, at (202) 418- 1470 or at [email protected] | |
| FR Citation | 82 FR 7825 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR