FCC vote to scrap telecom cybersecurity mandate: what changed and why it matters
The Federal Communications Commission plans a November vote to rescind a January ruling that tied carrier cybersecurity obligations to CALEA, resetting the regulatory posture after high-profile intrusions tied to Chinese state-linked actors.
What the FCC reversal rescinds under CALEA
In January, the FCC interpreted the Communications Assistance for Law Enforcement Act (CALEA) to require telecommunications carriers to protect their networks against unlawful access or interception, and paired that interpretation with a proposal to require written cybersecurity plans and baseline controls. The new chair has proposed reversing both the legal interpretation and the follow-on rulemaking, arguing the agency overreached and that a uniform rule would be inflexible and vague. The commission signals it will pivot to a more targeted, collaborative posture with carriers instead of a one-size-fits-all mandate.
Industry pushback and the CALEA legal basis
Large internet and telecom trade groups pressed the FCC to withdraw the approach, contending CALEA focuses on lawful intercept capabilities, not broad cybersecurity governance. The new draft order states that prior leadership read the statute and court interpretations too expansively, especially around the concept of interception, and warns that an across-the-board compliance regime could burden operators without measurably improving security.
Salt Typhoon backdrop and a year of telecom breaches
The January shift followed major intrusions attributed to China, including the Salt Typhoon campaign that penetrated large US carriers such as Verizon and AT&T, exposed sensitive metadata, and reportedly touched information about federal wiretaps. Separate reporting indicated a backbone technology provider to US and international operators was compromised for months. Against that backdrop, the January order sketched basic expectations like role-based access, stronger authentication, password hygiene, and timely patchingโcontrols the November proposal would no longer anchor in CALEA.
Why the FCC reversal matters for carriers and vendors
Rolling back the mandate leaves a governance gap at the federal level and shifts the spotlight to voluntary commitments, sector guidance, and market incentives.
From mandate to voluntary telecom cybersecurity commitments
If the vote passes, there will be no explicit federal cybersecurity requirement unique to telecom networks beyond existing cross-sector expectations and incident reporting rules. The FCC points to extensive engagement with carriers and promises to detail voluntary steps taken. That approach can drive flexibility, but it also creates uneven baselines across operators and complicates benchmarking for customers, partners, and insurers.
Securing lawful intercept and other privileged systems
The most damaging breaches exploited access paths to lawful intercept, mediation platforms, and sensitive signaling domains. Whether or not CALEA is a legal hook, carriers will still be judged on how they harden LI systems, switching premises, and 5G core control planes against covert interception, credential abuse, and supply chain tampering. Operators should expect continued scrutiny from law enforcement, CISA, and congressional oversight on these specific risk areas.
Intersection with rip-and-replace, CISA, and CSRIC guidance
The reversal does not change parallel policies such as the โrip-and-replaceโ program that removes untrusted equipment under the Secure and Trusted Communications Networks Act. It also does not replace sector guidance from CISA or best practices developed under the FCCโs CSRIC. The practical effect is to move from prescriptive compliance toward frameworks and attestations anchored in recognized standards.
Telecom cybersecurity actions to take now
In the absence of a prescriptive rule, carriers and vendors need to demonstrate resilience through controls, transparency, and measurable outcomes aligned to widely accepted frameworks.
Codify a baseline mapped to NIST CSF 2.0 and CISA CPGs
Institutionalize controls that the January order highlightedโrole-based access, elimination of default credentials, strong passwords and multifactor authentication, and fast patchingโand map them to NIST Cybersecurity Framework 2.0 and CISAโs Cross-Sector Cybersecurity Performance Goals. For regulated affiliates, align with NIST SP 800-53 or ISO/IEC 27001 to support third-party assurance and insurer due diligence.
Harden SS7, Diameter, SIP, and 5G SBA attack surfaces
Prioritize defense-in-depth for SS7, Diameter, SIP, and 5G Service-Based Architecture interfaces; segment and monitor lawful intercept and mediation systems; and enforce just-in-time privileged access with continuous session recording. Adopt zero trust patterns for the 5G core and management planes, and apply rigorous change control to NE and OSS/BSS domains. Use anomaly detection tuned for signaling abuse and call detail record exfiltration.
Strengthen supply chain security and vendor assurance
Expand third-party risk programs to require software bills of materials, secure development attestations, and vulnerability disclosure practices from network and LI vendors. Leverage GSMA NESAS/SCAS for 5G equipment assurance and 3GPP SA3 guidance for security features. Contractually bind managed service providers and backbone partners to response SLAs, telemetry sharing, and independent audits.
Continuously test resilience and verify controls
Run adversary emulation and purple-team exercises against LI, core control, and interconnect gateways; validate detection of covert interception attempts and credential pivoting. Implement continuous control monitoring, configuration drift detection, and automated remediation for high-severity exposures. Tie outcomes to board-level metrics such as mean time to detect, privilege abuse rates, and patch SLAs on crown-jewel systems.
Key milestones to watch next
Expect fast-moving policy, disclosure, and market reactions as the FCC finalizes its vote and carriers publicize their commitments.
November 20 FCC vote and potential legal challenges
The commission plans to vote on November 20. Watch for dissents and whether advocacy groups or state attorneys general seek review. Any court action could prolong uncertainty for compliance teams planning 2025 control roadmaps.
Carrier commitments and updates from CISA and the FCC
The FCC indicated it will publish details on operator actions; look for common denominators that could become de facto baselines. Also track updates from CISA on sector-specific performance goals and joint advisories on telecom threats, which will shape enterprise and interconnect requirements.
Enterprise and public sector security expectations
Large enterprise and public sector buyers will continue to insert security addenda into carrier MSAs demanding MFA, privileged access controls, rapid patching, and breach notification windows. Vendors that can evidence alignment to NIST CSF, GSMA NESAS, and independent assessments will be better positioned in RFPs even without an FCC mandate.
Signals from Verizon, AT&T, and backbone providers
Statements from Verizon, AT&T, and backbone providers will set benchmarks for the sector; pay attention to specifics on LI segregation, telemetry sharing, and timelines for hardening core control planes, which will indicate whether voluntary measures rise to the moment revealed by recent intrusions.
