FCC Urges Communications Providers to Strengthen Ransomware Defenses

On January 29, 2026, the Federal Communications Commission’s (“FCC” or the “Commission”) Public Safety and Homeland Security Bureau issued a Public Notice (DA 26-96) to highlight best practices that communications providers can implement to defend against ransomware attacks. The guidance comes in response to a significant increase in ransomware incidents affecting the communications sector—including a four-fold increase in attacks since 2021—and recent incidents involving small-to-medium sized communications providers that disrupted service, exposed sensitive information, and locked providers out of critical files.

While the Public Notice does not impose new regulatory requirements, it addresses best practices for preventing ransomware attacks, guidance on responding to an attack, existing reporting obligations, and resources available through the FCC’s Communications Security, Reliability, and Interoperability Council (CSRIC).

Best Practices

The Public Notice identifies eight core best practices for preventing and mitigating ransomware attacks. Per the FCC, providers should:

1. Develop a Cybersecurity Risk Management Plan: Develop a comprehensive plan that creates incident response teams, assigns clear responsibilities to employees, and establishes response protocols.
2. Regularly Update and Patch Software: Use the most recent software updates and promptly apply security patches.
3. Enable Multi-Factor Authentication (MFA): Implement MFA as part of an authentication and access management strategy to guard against unauthorized network access.
4. Regularly Back Up Data: Have in place robust backup processes to facilitate data restoration in the event of an attack.
5. Train Employees in Cybersecurity Awareness: Educate employees and conduct periodic cyber-hygiene training.
6. Segment Networks and Implement “Zero Trust” Architecture: Implement network segmentation to minimize the impact of an attack by establishing important controls on network access.
7. Deploy Detection and Protection Processes: Maintain awareness of network conditions and proactively monitor for suspicious activities. This includes implementing intrusion detection and prevention systems, endpoint detection and response tools, running regular vulnerability scans, and monitoring logs for unusual login attempts or network activity.
8. Evaluate Third-Party Risk: Assess the cybersecurity practices and monitor the vulnerability of third-party vendors to reduce the risk of threats originating outside the provider’s controlled infrastructure.

Responding to an Attack

The Public Notice also provides guidance on responding to a ransomware attack, encouraging providers to follow their cybersecurity risk management plan and resist any attempts by attackers to create false urgency. Key response steps include identifying the scope and impact of the intrusion, immediately isolating affected systems to prevent further spread, and preserving evidence through system images and memory capture. Once containment is achieved, providers would patch and harden systems to address the exploited vulnerability before restoring data from clean backups. The guidance does not address whether to make a ransom payment.

Reporting Obligations

The FCC reminded providers that ransomware attacks may trigger existing reporting requirements. Under existing FCC rules, an attack that compromises Customer Proprietary Network Information must be reported to the United States Secret Service and the FBI via the Data Breach Reporting Portal as soon as practicable, and no later than seven business days after the provider reasonably determines a breach has occurred. Affected customers must be notified following law enforcement notification.

Network outages resulting from an attack may also require notification. The FCC reminded providers that, under 47 CFR § 4.9, they must submit reports to the Commission, 911 special facilities, and 988 special facilities on the timelines specified in the rules. Additionally, any unauthorized transmission of Emergency Alert System codes or Attention Signals must be reported to the FCC Operations Center within 24 hours.

Even when an attack does not trigger mandatory reporting, the FCC encourages voluntary disclosure. Providers may contact the FCC Operations Center at FCCOPS@fcc.gov or 202-418-1122, or file reports with the FBI’s Internet Crime Complaint Center for situational awareness and assistance.

CSRIC Best Practices

The Public Notice directs communications providers to the Communications Security, Reliability, and Interoperability Council (“CSRIC”) Best Practices Database as a key resource for implementing these cybersecurity measures. CSRIC is an FCC advisory committee that develops and publishes industry best practices vital to the reliability of the nation’s public communications networks and services. The CSRIC best practices address each of the core areas identified in the Public Notice in greater detail. The FCC’s appendix to the Public Notice highlights numerous specific CSRIC best practices that providers may wish to consider using as guideposts for their cybersecurity programs, if they are not already doing so.

Key Takeaways for Communications Providers

Many communications providers will have previously implemented most, if not all, of the best practices identified by the FCC, many of which are also relevant to mitigating nation-state attacks, like those of Salt and Volt Typhoon. Nonetheless, this Public Notice provides communications providers an opportunity to assess their current cybersecurity posture and ensure they have appropriate safeguards in place. Although the guidance does not create new legal obligations, it shows the FCC’s heightened focus on cybersecurity resilience in the communications sector, and underscores the importance of proactive risk management. Providers that experience a ransomware incident may face regulatory scrutiny from the FCC regarding whether they implemented these measures, even if such measures are voluntary.