FCC Backs Away from Earlier Cybersecurity Mandate, Citing Legal Flaws & Industry Progress

Key Takeaways

• FCC Reversal: The FCC rescinded a prior Declaratory Ruling and withdrew a related rulemaking after determining the earlier approach misinterpreted CALEA and would not have strengthened cybersecurity.
• Salt Typhoon Fallout: The reversal follows months of intensified collaboration with carriers after Salt Typhoon infiltrated at least eight U.S. communications companies.
• Voluntary Measures: Providers have undertaken accelerated patching, tightened access controls, improved threat hunting, reduced outbound connections, and increased information sharing.
• Sharp Scrutiny: Commissioner Gomez argued the reversal abandons the only enforceable cybersecurity effort the agency had advanced and leaves the country less protected.
• Collaborative Approach: Commissioners Carr and Trusty said the FCC will rely on targeted, legally sound actions and public–private coordination rather than broad mandates.

Deep Dive

The Federal Communications Commission is reversing a cybersecurity action it took earlier this year, pulling back a Declaratory Ruling that the agency now says misread federal law and would not have made U.S. networks any safer. The FCC also withdrew a related rule-making proposal built on that same interpretation.

The decision comes after a turbulent year for the communications sector. Following the Salt Typhoon breach, a China-sponsored hacking campaign that infiltrated at least eight U.S. communications companies, the agency has spent months working directly with carriers to shore up vulnerabilities across critical infrastructure. According to the FCC, those companies have since taken on a broad set of defensive improvements, from fast-tracking software patches to tightening access controls and boosting threat-hunting and information-sharing activities.

A Shift Away from the January Approach

Chairman Brendan Carr and Commissioner Olivia Trusty voted to scrap the earlier ruling, while Commissioner Anna Gomez dissented. The majority argued that the previous Commission stretched the Communications Assistance for Law Enforcement Act (CALEA) far beyond its intended scope by trying to use a lawful-intercept provision as the basis for mandating network-wide cybersecurity practices. That interpretation, Carr said, was both legally unsound and at odds with guidance from the intelligence community.

Carr described the earlier action as rushed through just before the last presidential transition and said national security officials at the time warned that imposing top-down requirements would undermine the cooperation needed to address threats like Salt Typhoon.

The agency also pointed to other steps it has taken in 2025 as proof that it’s not backing away from cybersecurity, just abandoning an approach it believes would not have worked.

Those actions include a new Council on National Security to coordinate more closely with the intelligence community, new security rules for submarine cable operators, and closing longstanding loopholes in equipment-security regulations. The FCC also moved to bar “bad labs” from its equipment authorization program to prevent compromised testing entities from entering the supply chain.

A Strong Statement From Commissioner Gomez

Gomez rejected the reversal outright, calling Salt Typhoon “the worst telecommunications hack in our nation’s history” and arguing that voluntary cooperation is insufficient against state-sponsored adversaries. She said the January Declaratory Ruling and its accompanying NPRM were designed to introduce real accountability and create enforceable cybersecurity obligations, something she believes the FCC still has not put forward.

Gomez argued that CALEA does grant the agency authority to impose certain cybersecurity requirements and warned that abandoning the earlier effort leaves the country less prepared for the next breach.

“Handshake agreements without teeth will not stop state-sponsored hackers,” she wrote, adding that the majority has not produced any replacement proposal, milestones, or standards that would guide the next phase of the FCC’s response.

Trusty Backs the Reversal

Trusty, siding with the majority, framed the decision as a necessary “course correction” to keep the FCC within the limits of its legal authority. She said the January approach risked generating confusion rather than clarity and praised recent voluntary steps taken by providers as meaningful progress.

She emphasized that collaboration, backed by monitoring, enforcement, and future rule-makings as needed, remains one of the most effective tools against foreign cyber threats.

The split highlights an unresolved debate over whether the agency should rely on voluntary security measures from the private sector or whether enforceable standards are needed to confront increasingly sophisticated foreign adversaries.

For now, the FCC is choosing coordination over mandates—a decision supporters call pragmatic, and critics say leaves the nation exposed.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.