Full Report
Months after China-linked spies burrowed into US networks, regulator tears up its own response The Federal Communications Commission (FCC) has scrapped a set of telecom cybersecurity rules introduced after the Salt Typhoon espionage campaign, reversing course on measures designed to stop state-backed snoops from slipping back into America's networks.…
Analysis Summary
# Regulation/Compliance: FCC Revocation of January Declaratory Ruling (Post-Salt Typhoon)
## Overview
This summary details the Federal Communications Commission's (FCC) decision to scrap cybersecurity rules originally introduced after the Salt Typhoon espionage campaign. These rules, established via a January Declaratory Ruling, were intended to fortify telecom networks, particularly those related to lawful intercept functions under CALEA, against state-backed espionage. The revocation signals a pivot away from formal, mandated obligations toward relying on voluntary cooperation and existing informal oversight mechanisms.
## Key Details
- **Issuing Authority:** Federal Communications Commission (FCC)
- **Effective Date:** The revocation was approved "last week" relative to the article date (Mon 24 Nov 2025). The ruling being revoked was from January 2025.
- **Jurisdiction:** United States telecommunications carriers whose networks handle lawful intercept functions under CALEA.
- **Status:** **Revoked/Scrapped** (The requirements imposed by the January Declaratory Ruling are no longer in effect.)
## Requirements
### Mandatory Requirements
*The legally mandated requirements under the specific January Declaratory Ruling have been **removed**.*
1. **(REMOVED)** Carriers no longer have the formal, mandated obligations established by the January Declaratory Ruling to lock down systems under CALEA.
2. **(REMOVED)** No formal baseline obligations remain regarding measures designed to stop foreign intelligence services from infiltrating carrier defenses via lawful intercept stacks or network management gear.
### Recommended Practices
The FCC now frames the current state of security improvements as resulting from **voluntary cooperation and clean-up efforts** following the Salt Typhoon discovery.
1. Enhance access controls.
2. Improve incident response capabilities.
3. Increase general attentiveness to cyber risks based on industry best practices and ongoing coordination with federal partners.
## Affected Organizations
- **Industries:** Telecommunications carriers (Telcos).
- **Organization Size:** The article notes that smaller carriers particularly benefit from universal baselines, implying a disparity in capability between large and small operators remains an open concern without the formal rules.
- **Geographic Scope:** United States.
## Compliance Timeline
Since the specific binding regulation has been revoked, there are **no active compliance deadlines** related to the scrapped January ruling.
- **January 2025 (Approx.):** January Declaratory Ruling issued, imposing new obligations.
- **November 2025 (Approx.):** FCC officially revokes the Declaratory Ruling and the Notice of Proposed Rulemaking.
- **Final deadline:** N/A (Obligations removed).
## Implementation Guidance
### Assessment Phase
- **(Previous guidance)** Assess current defenses, particularly around CALEA-related systems, against the now-scrapped January ruling requirements.
- **(Current situation)** Organizations should assess their current security posture against **agile, targeted rules** the FCC now prioritizes (e.g., submarine cable requirements) and internal risk assessments, relying on self-policing and voluntary improvements.
### Implementation Phase
- Focus shifts from mandated technical builds to **improving security posture based on recent incident response** success observed by the FCC.
- Participate in the "extensive, urgent, and coordinated" cleanup efforts mentioned by the FCC.
### Validation Phase
- **(Previous guidance)** Compliance would have been measured against the specific standards in the Declaratory Ruling.
- **(Current situation)** The mechanism for formal compliance checks and standards adherence for these prior obligations is **removed**. Validation relies on demonstrating proactive, voluntary efforts, though monitoring methods are unspecified. Commissioner Gomez noted there is now "no mechanism for determining which safeguards should have been in place."
## Technical Requirements
No specific, legally executable technical requirements related to the CALEA lockdown rules are currently mandated and enforceable following the revocation. The general requirement is to maintain robust security against state actors.
## Penalties & Enforcement
- **Fines:** **None** are applicable for non-compliance with the *revoked* January ruling's specific mandates. The threat of enforcement and penalty structure associated with that ruling is gone.
- **Other Consequences:** Disapproval from consumer/privacy watchdogs (e.g., EPIC) regarding the removal of enforceable protections.
- **Enforcement:** Enforcement now relies on informal pressure, industry goodwill, and alignment with other, existing targeted regulations (like those for submarine cable licensees).
## Related Standards
- **Communications Assistance for Law Enforcement Act (CALEA):** The revoked rules specifically targeted hardening networks related to CALEA functions. Carriers must still adhere to the underlying CALEA requirements, but the added cybersecurity layer is gone.
- **Targeted Rules:** The FCC points towards existing, targeted rules, such as those for submarine cable licensees requiring cyber-risk management plans.
- **Informal Coordination:** The new approach emphasizes coordination facilitated by the FCC's Council on National Security.
## Resources
- **Official Documentation:** FCC Announcement PDF (DOC-415455A1.pdf) documenting the revocation.
- **Guidance Documents:** Dissenter's Statement PDF (FCC-25-81A3.pdf) detailing concerns over the lack of enforceable standards.
- **Tools:** No specific compliance tools related to the revoked mandate are relevant.
## Practical Recommendations
1. **Assess Security Gaps:** Despite the lack of formal mandates, immediately review the security posture around lawful intercept equipment and sensitive management functions, as these were the targets of the prior intrusion (Salt Typhoon).
2. **Document Voluntary Efforts:** Organizations should rigorously document all proactive security enhancements, incident response improvements, and access control tightening, as these are now the primary defense against future regulatory scrutiny or public failure.
3. **Monitor Related Agendas:** Keep watch on the FCC's "agile" approach and any new, narrowly tailored regulations emerging from the Council on National Security coordination, particularly those affecting supply chain risk or specific infrastructure types.
4. **Advocate for Baselines (If smaller carrier):** Smaller carriers should recognize the removal of universal baselines creates operational risk and should lobby for practical, non-burdensome standards if they lack the resources to self-police against sophisticated state actors.