What the Vote Was
The FCC voted 2-1 on November 20, 2025, to rescind a January 2025 ruling that required U.S. telecommunications providers to adopt sweeping cybersecurity protections under Communications Assistance for Law Enforcement Act (CALEA) Section 105.
The original mandate was introduced after the major "Salt Typhoon“ cyber espionage campaign (attributed to Chinese-linked hackers) that breached multiple large carriers.
Under the new order the FCC is shifting away from broad mandates toward a framework of voluntary commitments and targeted oversight.
Why This Matters for Cybersecurity
-
Critical infrastructure risk: Major telecom carriers form the backbone of digital communications. If their networks are compromised, the effects cascade across industries, governments, and individuals. The Salt Typhoon breach illustrated this.
-
Regulatory baseline removal: Without mandatory federal rules, individual carriers may adopt inconsistent cybersecurity postures, creating uneven protection across networks.
-
CVE and vulnerability management importance: With less regulatory compulsion, carriers and their enterprise customers must rely on strong internal vulnerability-patch programmes (tracking publicly-known CVEs), rigorous penetration testing and robust incident response.
-
Supply-chain and vendor risk: Many telecom systems include third-party equipment and software that may harbour unpatched CVEs or weak access controls, the rollback heightens the need for businesses to ensure their carriers and vendors meet strict standards.
-
Penetration testing becomes a differentiator: Enterprises will increasingly rely on internal testing to validate that their carrier networks, vendor links and services are resilient to both nation-state attacks and supply-chain exploitation.
Key Provisions of the Original and Revised Rules
| Aspect | January 2025 Mandate | November 2025 Rollback & Voluntary Framework |
|---|---|---|
| Legal basis | CALEA Section 105 interpreted to require carriers to secure networks against unlawful access/interception. | FCC argues original interpretation exceeded statutory authority; mandates reversed. |
| Scope | Broad set of cybersecurity obligations for all telecom carriers (role-based access, patching, vendor audits, etc.). | Focus shifts to targeted risk areas (submarine cables, foreign-controlled labs, 5G core) and voluntary industry commitments. |
| Enforcement | Direct carrier obligations; non-compliance could result in penalties. | Likely reliance on collaboration, incentives, and voluntary attestations rather than sweeping rules. |
| Implication for Enterprises | Carriers obligated to meet minimum security baselines; enterprises could expect stronger carrier guarantees. | Enterprises must take greater responsibility to verify carrier security, focus on CVE/patching, and perform own penetration testing. |
What Businesses Should Do Now
-
Include carrier networks in your asset-and-risk inventory: Recognise that your telecom provider is part of your supply chain, treat it as a critical vendor.
-
Ask for carrier security assurances and vendor audits: Given the rollback, carriers’ commitments may be voluntary, request documentation or audit reports showing patch management, CVE tracking, threat-hunting, and vendor risk controls.
-
Track CVEs relevant to telecom infrastructure and services: Many intrusion campaigns exploit known vulnerabilities. Ensure that telecom-facing systems your business depends on (e.g., SIM management, IoT back-haul, RAN/5G cores) are covered.
-
Conduct penetration testing and red-team exercises including carrier interfaces: Assess your access paths, vendor dependencies, data flows through the carrier network and whether a compromise at the carrier level could impact your operations.
-
Segment and monitor communications paths: Assume risk exists in the carrier network, monitor for anomaly, enforce zero trust, restrict outbound and inbound flows, and ensure you can operate if the carrier experiences a breach.
-
Negotiate security clauses in SLAs and vendor agreements: With mandated rules removed, your commercial contracts become the default guarantee. Insert requirements around patching windows, incident response times, breach notification, and audit rights.
-
Align internal security strategy with national-level frameworks: Use standards like NIST Cybersecurity Framework, Cybersecurity and Infrastructure Security Agency (CISA) performance goals and sector-specific controls to ensure you remain resilient regardless of regulatory shifts.
Forward-Looking Implications
-
Voluntary measures may lead to uneven protection: Enterprises must assume minimum levels of carrier security cannot be taken for granted.
-
National security dimension remains strong: The Salt Typhoon case underscores that telecom security remains a strategic priority and may come under scrutiny from other federal bodies or legislation.
-
Emerging attack vectors: With telecom infrastructure at greater risk, threat actors may shift to exploiting carrier-vendor ecosystems, signalling networks, or 5G cores. Businesses need to ensure their downstream systems aren't vulnerable by association.
-
Penetration testing as competitive advantage: Organisations that validate carrier and vendor security posture through independent tests will stand out to clients, regulators and insurers.
FAQ
Q1: What is the Salt Typhoon hack?
It is a major cyber-espionage campaign attributed to Chinese state-linked actors that infiltrated United States telecom providers, compromising networks, metadata and signalling systems.
Q2: Does the FCC rollback mean carriers are no longer required to secure networks?
No, carriers still face general cybersecurity expectations, incident-reporting obligations and supply-chain rules. But the broad January 2025 mandate is being replaced with a more voluntary, targeted approach.
Q3: How does this change affect my business?
Your business should now take greater responsibility for vetting carrier security, tracking CVEs in telecom-facing systems and performing penetration testing on access paths through providers. Minimum security levels may vary, so assume risk and act accordingly.
