Implement policies; procedures; and safeguards to protect Customer Proprietary Network Information (CPNI) as required by 47 CFR Part 64; Subpart U.

• CPNI Policy and Training - CPNI.1.1

  Establish comprehensive written CPNI policies and provide regular training to relevant personnel.

• Customer Approval Mechanisms - CPNI.1.2

  Implement and adhere to customer approval (opt-in/opt-out) mechanisms for using; disclosing; or permitting access to CPNI for purposes other than providing the telecommunications service for which it was collected.

• Authentication and Access Controls - CPNI.1.3

  Implement robust authentication procedures to verify customer identity before disclosing CPNI; whether in-store; online; or via telephone.

• Safeguarding CPNI - CPNI.1.4

  Establish and maintain reasonable administrative; technical; and physical safeguards to protect CPNI from unauthorized access; use; or disclosure.

• Breach Notification Procedures - CPNI.1.5

  Develop and implement procedures for notifying the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) as well as customers in the event of a CPNI breach; as required by FCC rules.

• Annual CPNI Certification - CPNI.1.6

  File an annual certification with the FCC detailing compliance with CPNI rules; including a summary of consumer complaints related to CPNI and actions taken.

• CPNI Recordkeeping - CPNI.1.7

  Maintain records related to CPNI compliance; including customer approvals; breach incidents; compliance measures; and actions taken on CPNI-related complaints; for at least three years.

Adhere to the Telephone Consumer Protection Act (TCPA) rules (47 CFR § 64.1200) regarding unsolicited communications; autodialers; and the National Do-Not-Call Registry.

• Do-Not-Call (DNC) Registry Compliance - TCPA.1.1

  Access and honor the National DNC Registry and maintain an internal DNC list for consumers who request not to be called.

• Autodialer and Prerecorded Message Restrictions - TCPA.1.2

  Comply with restrictions on making calls using automatic telephone dialing systems (ATDS) or artificial/prerecorded voice messages; including obtaining prior express written consent where required for telemarketing calls to wireless numbers and non-emergency calls to residential lines.

• Caller Identification Requirements - TCPA.1.3

  Transmit accurate caller identification (Caller ID) information for all telemarketing calls; including the calling party's name and telephone number.

• Time-of-Day Restrictions - TCPA.1.4

  Ensure telemarketing calls are made only within permissible hours (typically 8 a.m. to 9 p.m. local time at the called party's location).

• Abandoned Call Rate - TCPA.1.5

  Monitor and adhere to limits on abandoned call rates for telemarketing calls using autodialers (not to exceed 3% of all answered calls per campaign; measured over a 30-day period).

• TCPA Policy and Training - TCPA.1.6

  Establish and maintain TCPA compliance policies and provide training to personnel involved in telemarketing or customer calls.

Maintain reliable communications networks and report service disruptions as required by 47 CFR Part 4 and Part 9.

• Network Outage Reporting - NRO.1.1

  Report specified network outages to the FCC through the Network Outage Reporting System (NORS) within designated timeframes.

• Communications Reliability - NRO.1.2

  Take reasonable measures to ensure the reliability and resiliency of communications networks; including implementing network monitoring; maintenance; and backup power systems.

• 911 Service Reliability - NRO.1.3

  Ensure reliability and availability of 911 services; including compliance with E911 location accuracy requirements and specific outage reporting for 911 circuits and services (47 CFR Part 9).

• Disaster Management and Recovery - NRO.1.4

  Develop and maintain disaster management and service restoration plans for network infrastructure to address natural disasters; man-made incidents; and other emergencies.

• Special Provisions for Critical Facilities - NRO.1.5

  Implement special provisions for ensuring service continuity to critical facilities like hospitals; public safety answering points (PSAPs); and emergency operations centers during emergencies.

Ensure communications and video programming products and services are accessible to individuals with disabilities; as required by the CVAA and implementing rules (e.g.; 47 CFR Parts 7; 14).

• Accessible Products and Services - ACC.1.1

  Ensure that communications and video programming equipment and services are designed; developed; and fabricated so that they are accessible to and usable by individuals with disabilities; unless not achievable.

• Information; Documentation; and Training - ACC.1.2

  Provide access to information and documentation about the accessibility features of products and services in accessible formats; and train customer service staff on accessibility features and policies.

• Pass Through of Accessibility Features - ACC.1.3

  Ensure that accessibility features (e.g.; closed captioning; audible alerts; TTY compatibility) are passed through or made available to end-users without degradation.

• Accessibility Recordkeeping and Certification - ACC.1.4

  Maintain records of efforts to implement accessibility requirements (e.g.; product design considerations; customer consultations; testing) and file required certifications with the FCC.

• Complaint Handling Procedures - ACC.1.5

  Establish procedures for receiving and responding to accessibility-related complaints from consumers in a timely and effective manner.

• Advanced Communications Services (ACS) Accessibility - ACC.1.6

  Ensure that Advanced Communications Services (ACS) such as VoIP; email; instant messaging; and video conferencing; and related equipment are accessible to people with disabilities; unless not achievable (47 CFR Part 14).

Participate in the Emergency Alert System (EAS) as required by 47 CFR Part 11; including maintaining equipment; conducting tests; and relaying alerts.

• EAS Equipment and Installation - EAS.1.1

  Install and maintain FCC-certified EAS encoding and decoding equipment capable of receiving and transmitting alerts from designated sources.

• EAS Testing Compliance - EAS.1.2

  Conduct required weekly Required Weekly Tests (RWTs) and monthly Required Monthly Tests (RMTs); participate in periodic nationwide EAS tests (e.g.; National Periodic Tests - NPTs); and log all test results.

Establish; implement; and maintain a comprehensive cybersecurity governance structure and risk management program aligned with FCC guidance and relevant industry standards to protect communications networks and data.

• Cybersecurity Policy Establishment - CGRM.1.1

  Develop; document; approve; and disseminate a formal; organization-wide cybersecurity policy that addresses requirements for protecting communications infrastructure and sensitive data.

• Risk Management Framework Adoption - CGRM.1.2

  Adopt and adapt a recognized cybersecurity risk management framework (e.g.; NIST Cybersecurity Framework (CSF); ISO 27001) to guide the organization's cybersecurity program.

• Cybersecurity Risk Assessment - CGRM.1.3

  Conduct regular; comprehensive cybersecurity risk assessments of communications systems; services; and data to identify vulnerabilities; threats; and potential impacts.

• Cybersecurity Roles and Responsibilities Definition - CGRM.1.4

  Clearly define; document; and assign cybersecurity roles; responsibilities; and authorities for all personnel involved in managing and protecting communications networks and data.

• Third-Party Cybersecurity Risk Management - CGRM.1.5

  Establish and implement a program to manage cybersecurity risks associated with third-party vendors; suppliers; and service providers that have access to communications networks or sensitive data.

Implement and maintain robust network security controls to protect the confidentiality; integrity; and availability of communications networks; infrastructure; and services.

• Secure Network Configuration and Segmentation - NS.1.1

  Implement secure baseline configurations for all network devices and systems; and segment networks to isolate critical systems and limit the impact of security incidents.

• Vulnerability Management Program - NS.1.2

  Establish and maintain a vulnerability management program that includes regular vulnerability scanning; risk assessment of identified vulnerabilities; and timely remediation (e.g.; patching).

• Network Access Control - NS.1.3

  Implement strong access control mechanisms for all network devices; systems; and administrative interfaces; including the principle of least privilege and multi-factor authentication (MFA) for critical systems.

• Border Gateway Protocol (BGP) Security Measures - NS.1.4

  Implement security measures to protect against BGP vulnerabilities; such as BGP hijacking and route leaks; including the development of BGP security plans and adoption of technologies like Resource Public Key Infrastructure (RPKI).

• Signaling Network Security (SS7/Diameter) - NS.1.5

  Implement security measures to protect Signaling System 7 (SS7) and Diameter protocols from exploitation; including filtering; monitoring; and use of firewalls where appropriate.

• Denial of Service (DoS/DDoS) Mitigation Strategies - NS.1.6

  Implement strategies and capabilities to detect; mitigate; and respond to Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks against communications networks and services.

Implement robust safeguards to protect the confidentiality; integrity; and availability of sensitive customer data; including CPNI; and comply with applicable FCC data privacy and breach notification rules.

• Protection of Other Sensitive Customer Information - DSP.1.2

  Implement appropriate security measures to protect other sensitive customer information (e.g.; personally identifiable information (PII); financial data) beyond CPNI; consistent with privacy commitments and applicable laws.

• Data Encryption and Masking - DSP.1.3

  Implement data encryption for sensitive customer information (including CPNI) at rest and in transit where appropriate; and use data masking or de-identification techniques when full data is not required.

• Secure Data Disposal Practices - DSP.1.5

  Implement secure methods for disposing of sensitive customer information (including CPNI) and other confidential data in all formats (electronic and physical) when no longer needed for legitimate business or legal purposes.

Implement measures to mitigate cybersecurity risks associated with the communications supply chain; including hardware; software; and services.

• Prohibited ("Covered") Equipment and Services Identification and Management - SCRM.1.1

  Identify; remove; replace; and dispose of communications equipment and services on the FCC's Covered List" (posing an unacceptable risk to national security) from networks; and refrain from obtaining or using such equipment or services."

• Vendor and Supplier Cybersecurity Risk Assessment - SCRM.1.2

  Conduct cybersecurity risk assessments of vendors and suppliers providing critical network equipment; software; or services before and during engagement.

• Secure Software Development Lifecycle (SSDL) or Acquisition Practices for Network Components - SCRM.1.3

  Implement secure software development lifecycle (SSDL) practices for internally developed network software; and secure acquisition practices for externally sourced network software and components.

• Supply Chain Information Sharing and Integrity Verification - SCRM.1.4

  Participate in relevant supply chain information sharing initiatives and implement measures to verify the integrity and authenticity of network hardware and software components (e.g.; for STIR/SHAKEN implementation).

Develop and implement a comprehensive incident response and recovery capability to prepare for; detect; respond to; and recover from cybersecurity incidents affecting communications networks and services.

• Incident Response Plan (IRP) Development; Maintenance; and Testing - IRR.1.1

  Develop; document; maintain; and regularly test a formal Incident Response Plan (IRP) that outlines procedures for handling cybersecurity incidents.

• Incident Detection; Analysis; and Triage Capabilities - IRR.1.2

  Establish and maintain capabilities and procedures for promptly detecting; analyzing; and triaging potential cybersecurity incidents.

• Incident Containment; Eradication; and Recovery Procedures - IRR.1.3

  Develop and implement procedures for containing cybersecurity incidents to limit their impact; eradicating the threat; and recovering affected systems and services in a timely manner.