By Laura H. Phillips

Article Highlights:

  • As communications networks transition to IP-based operations, the way 911 works changes, creating new service reliability vulnerabilities.
  • The FCC has proposed a range of new rules that would increase its oversight both over existing and new types of 911 providers; comments on its proposals are due March 9, replies April 7.
  • New certifications, notifications and risk assessments would be required of a newly expanded group of 911 providers if the proposed rules are adopted.
  • Additional rules for information sharing and cooperation among competitors and component providers proposed.
  • No new cost recovery is proposed for these additional regulatory requirements.
  • While states and localities would not be preempted from their traditional jurisdiction or roles, the new FCC framework would represent a uniform baseline of 911 requirements.

As part of its unrealized effort to bring policy coherence to the migration of traditional switch-based telephone networks towards all IP-based architectures, the Federal Communications Commission (FCC) recently commenced a rulemaking aimed at improving accountability for the reliability of the 911 service “ecosystem” as network architectures continue to evolve.[1] Over the objections of Republican Commissioners Pai and O'Reilly, the FCC’s Democratic Chairman and Commissioners voted to adopt a Policy Statement and to propose a new federal framework with specific rule to address service failures that can lead to multi-state 911 service outages. The Notice of Proposed Rulemaking (Notice) proposes that the agency keep pace with evolving technologies and address the reliability challenges that the IP transition presents by adopting a new and expanded federal governance structure for 911. Comments on the proposals contained in the Notice are due to be filed by March 9, 2015, with Reply Comments due to be filed by April 7, 2015.

Evolving Networks, Increasing 911 Outages. With traditional communications network architecture of time division multiplexing (TDM), 911 calls originate on and are routed through and delivered to Public Safety Answering Points (PSAPs) using incumbent local exchange carrier (ILEC) networks. Increasingly, system service providers (SSPs), subcontractors and vendors are providing PSAPs with additional technical capabilities and even equipment that utilizes enhanced capabilities that are part of Next Generation 911 (NG 911) services. The NG 911 platform can offer a range of potential benefits, including flexible call routing, and a greater range of information capabilities, including text, and video and data from devices, such as vehicle crash sensors, that can be made available to emergency responders. A key component of NG 911 architecture is the emergency services IP network (ESInet), which is an IP-based network of networks that can be shared by a range of public safety entities that may be involved in responding to an emergency. An ESInet is typically deployed at the state or regional level and is operated under contract with a number of PSAPs that share the use of its capabilities. The evolution towards ESInets has implications for service delivery and the allocation of NG 911 service delivery responsibilities.

While NG 911 holds the promise of more robust systems, the transition is not complete. In many jurisdictions 911 services are provided through transitional architectures that include both IP-based and TDM-based components. IP-based 911 networks are more geographically diverse and are generally provisioned across multiple states and jurisdictions and IP-based 911 rely upon remote servers and databases. This raises new issues about new vulnerabilities, including highlighting the question of who is responsible for service failures or troubleshooting when there are a number of entities, both carriers and non-carriers, supporting separate aspects of NG 911 service delivery.

In traditional 911 settings, ILECs were responsible for routing calls 911 to the appropriate PSAP, and state local authorities designated the appropriate PSAP responsible for answering a 911 call and dispatching help. The same general assignment of responsibilities followed for troubleshooting operational issues and for recovery from 911 service outages. ILECs typically have had both a contractual relationship with a PSAP that includes serving as primary party with responsibility for technical support and information sharing and a tariffed service relationship. Alternatively, state regulation may apply to dictate responsibility for 911 service components. The Notice expresses concern that as networks evolve, the number of potential failure points for 911 service delivery may increase, while at the same time there is less clarity as to what specific roles various providers are to play in ensuring 911 service works reliably or is restored promptly in the event of an outage.

The Notice summarizes several recent 911 outages where evolving technology has introduced new service risks, and notes that these incidents highlight the need for more definitive NG 911 governance structures. ESInets, for example, can fail due to software malfunctions, database failures, or even errors in conversion from legacy to IP-based network protocols. These new modes of potential failure can cause outages over interstate areas or even nationwide. Moreover, the consolidation of critical resources in a small number of databases increases the risk of catastrophic 911 service failures. For example, the Notice cites software coding errors in a 911 call routing facility that led to a loss of 911 service to more than 11 million people in seven states. While the SSP point of failure operated a redundant hub in another state to which 911 traffic could have been immediately rerouted, the malfunction was not detected promptly and the system did not execute a switchover of traffic for several hours. The Notice cites this as an example of insufficient safeguards or lines of accountability and further states that the incident was not isolated. The FCC notes that there have been an increasing number of “sunny day” 911 outages caused by preventable errors in software or in database configurations or in maintenance. IP-based systems have failed under everyday conditions or after seemingly routine software updates that produce unintended consequences. While these networks are designed to be redundant, the Notice states that recent outages demonstrate how easily redundancy can be compromised if critical components fail.

Current Governance Processes and FCC Oversight. Governance of legacy 911 service is shared among state, federal and local authorities. The responsibility for establishing PSAPs, procuring equipment and training PSAP personnel, as well as implementing cost recovery mechanisms, falls squarely on states and localities. The FCC historically has declined to impose any sort of reliability or other certification requirements on governmental authorities that provide 911 answering and dispatch and proposes that that remain unchanged. Nevertheless, the Notice states that Congress directed the FCC to advance public safety through the deployment of IP-enabled 911 and suggests that in the absence of specific Congress guidance, the FCC should lead and coordinate the transition to NG 911 by setting national NG 911 policy.

The FCC’s current framework requires 911 service providers to route 911 calls, along with appropriate location information, to a PSAP. Following an investigation of 911 service failures in 2012, the FCC adopted a range of rules requiring “covered” 911 service providers, such as incumbent LECs, CLECs, large wireless carriers and large interconnected VoIP providers. These new rules required these providers to analyze their networks for redundancy, resiliency and reliability, and to provide that information to the agency. These reviews and system audits are to be updated, and the covered providers must each make an annual certification to the FCC that they have implemented best practices and taken reasonable measures to ensure reliability.

FCC monitoring of these and preexisting outage reporting requirements enables the agency to perform statistical analysis of trends that can inform future recommendations for reliability. Even with these tools, however, the Notice states that the recent trend of increasing sunny day outages demonstrates a potential need for additional actions to prevent or mitigate large-scale disruptions in 911 services and to improve communication and situational awareness. The FCC proposes that there be more specific governance mechanisms within the 911 ecosystem to ensure better situational awareness and accountability. What these additional reliability and monitoring steps will cost is not addressed in the Notice. The Notice states that the FCC is deferring for another day the complex issues of IP interconnection and cost recovery as they may affect NG 911.

The FCC’s NG 911 Policy Statement. It is FCC policy to encourage and support efforts by states and localities to develop comprehensive, ubiquitous reliable 911 service. IP-based 911 service providers and architectures extend beyond the boundaries of any state and network changes and may affect quality of service on a regional or national scale. Thus, consistent collaborative governance is essential as 911 technology evolves. Failures on a large scale have the potential to be catastrophic to users and the FCC intends to take a leadership role in addressing these risks.

The FCC articulates its goals in this area to serve as a framework for evaluating the proposals contained in the Notice and comments received on its proposals. As a threshold matter, all entities providing 911 services occupy unique positions of public trust. Increased innovation and competition in the 911 ecosystem have the potential to enhance 911 functionality and utility, but transitions have to be managed so that they maximize the availability, reliability and resiliency of the network while ensuring accountability. NG 911 architecture or service should have safeguards, along with appropriate governance mechanisms, to maximize reliability. Second, significant changes to 911 service should be coordinated transparently with the FCC and with the responsible state and local authorities. If technology transitions create real or perceived gaps in the delivery of reliable 911 service, the FCC intends to act with state and local partners to close those gaps.

Adding all Forms of New Providers as “Covered” Providers Subject to Audit. Following the 2012 Derecho and other widespread and serious 911 service outages, the FCC adopted a new rule, rule 47 C.F.R §12.4, “Reliability of covered 911 service providers.” The rule requires covered service providers, currently defined as those who provide specified 911 capabilities directly to a PSAP, to maintain reliable 911 networks that adhere to best practices and to annually certify network redundancy, reliability and resiliency. At the time rule §12.4 was adopted, the FCC was not persuaded that NG 911 technology had evolved to the point that newer providers needed to be subject to these requirements. However, as sunny day outages in ESInets have been occurring and as more 911 calls are NG 911 calls, the Notice proposes to expand the scope of entities covered by the rule to include more IP-based entities. The Notice proposes that all entities that provide any type of 911 capabilities, such as call routing, automatic location information, automatic number identification, location information servers, text- to-911, or the functional equivalent of those capabilities would be covered. There would be no precondition that there be a direct contractual relationship with any PSAP or an emergency authority to be a covered entity.

Expansion of Review and Reporting Requirements, and Applications for Ending or “Impairing” Service. The Notice seeks comment on what additional reliability practices should be incorporated into the rule and become subject to certification requirements. Some potential additional factors mentioned include testing of software and databases used to process 911 calls, as well as express consideration of geographic distribution, load balancing, and automatic rerouting in the event of a failure. Appropriate prioritization of network alarms as well as consideration of cybersecurity and supply chain risk management are also identified as areas for consideration. Further areas for possible certification might also include developing and having in place reasonable measures to share information to improve situational awareness during service disruptions, including providing test notifications to PSAPs and state emergency management offices, as well as the possibility of adopting specified timeframes within which to alert PSAPs of any outages. Comments are sought as to whether the FCC’s CSRIC industry advisory committee - or other bodies - should develop consensus-based best practices that might be incorporated as FCC rules or standards.

As an increasing number of critical 911 capabilities are being provided by more and more non-carrier SSPs and other technical vendors using IP clouds and data hosting, the Notice states that the FCC must ensure that the end-to-end delivery of service is reliable. To that end, the Notice proposes that the public should be aware of major changes in any covered 911 provider’s network architecture or scope of services. The Notice asks which entities, and under what conditions, should be responsible for reporting network changes, as well as seeking comment on what would be considered a “major” change that should trigger a reporting requirement.

The FCC also proposes that covered 911 service providers that wish to discontinue providing service or “impair” an existing 911 service be required to file with the FCC for formal approval to do so. The Notice asks whether states and localities already have discontinuance processes in place so that an FCC backstop covering newer types of providers is not necessary. The FCC does not propose to require this proposed notification application process where discontinuance of service is at the request of a PSAP or a state agency.

Proposed Role for a Federal Framework. Given that IP-based technologies typically are operating on a regional or national level, the Notice asks whether it is appropriate and potentially helpful to states for the FCC to set expectations as to service reliability and accountability. The Notice states that any federal level process would not supplant state or local requirements, but rather ensure that there are no gaps in oversight. Specifically, the FCC proposes that all new 911 service providers or all new services by existing providers be subject to federal certification as to reliability. Specifically, each provider would have to certify that they have conducted a reliability and security risk analysis of their network components, infrastructure and software to support 911 call completion. This certification would not be a preapproval requirement for the introduction of new technologies. However, it would represent a public acknowledgment of fundamental reliability responsibilities and contain a provider’s assessment of preparedness to meet these responsibilities.

The Notice asks whether state laws, regulations or common law provide adequate assurances of service provider qualifications in place of a uniform federal standard and certification process. It also asks if there is immunity under state law against liability for the provision of 911-related services or communication services by common carriers or other entities. Assuming immunity exists, the Notice asks whether immunity affects incentives among providers and others to ensure that 911 services are reliable, regardless of the technology used.

Enhancing Situational Awareness in a Multi-Provider World. The Notice asks which entities would be subject to a certification process if such a requirement were adopted, and what the scope of new services would be that would trigger the need for a certification. Various factors are suggested with respect to analysis of network monitoring capabilities, situational awareness and sharing of outage information. Some questions highlighted for comment include whether the certification should address issues regarding diversity redundancy of the network, the possibilities of equipment failure, and the ability to switch to backup systems. Finally, the Notice asks for comment on the extent to which the certification risk analysis should include cybersecurity or supply chain risk assessment. The Notice asks whether it would be sufficient for service providers to conduct their own analysis or whether the certification analysis should be done by an independent third party. The Notice also asks if an FCC advisory commission such as CSRIC should develop best practices recommendations that would be basis for certification.

While proposed federal certification process would not preempt state processes, the states would certainly have the option of adopting the federal certification framework as a basis for state-level governance. If there is potential conflict between federal certification and similar state-level processes, the Notice asks how would conflicts be minimized. The Notice does not propose that any federal certification extend to the provision of new call processing services or equipment capabilities provisioned by PSAPs themselves under oversight of state and local governments.

Single Point of Contact. The Notice also highlights the belief that more needs to be done to address gaps in situational awareness and coordination with large-scale 911 outages. It suggests that information sharing is the key to diagnosing problems that could originate with a single provider but affect many others. The FCC proposes to clarify responsibility for situational awareness and coordination among service providers, their subcontractors and affiliated entities. For example, the FCC suggests it would be helpful for one covered 911 provider in each jurisdiction to perform a central clearinghouse triage function, obtaining and disseminating critical information to other stakeholders on a timely basis. Specifically, the FCC proposes to establish a class of covered 911 service providers that would assume primary responsibility for this function. The FCC proposes to call this provider the "911 Network Operations Center” (NOC) provider. Under this proposal, NOCs would be responsible for monitoring their networks for disruptions or degradations in 911 service and for affirmatively communicating relevant information as appropriate to other stakeholders, including SSPs, vendors, PSAPs, state emergency management offices and the FCC's own operations center. These 911 NOC providers would be empowered to obtain relevant information concerning outages from other providers, who would be required by FCC rule to provide this information.

911 NOC providers would coordinate with other stakeholders to collect and distribute information about outages on portions of the network. The Notice proposes that the role of NOC provider be assigned to the entity responsible for the transport of 911 traffic to the PSAP or PSAPs serving each jurisdiction. In many cases the FCC expects this role will be assumed by the incumbent LEC because of their historic traffic transport functions. However, as networks evolve, other entities may take on transport responsibility. For example, the ESInet provider that receives 911 calls from originating service providers and aggregates and delivers traffic to PSAPs could at some point assume the role. The Notice asks whether there are consistent situations where one entity can reasonably be identified as being responsible for aspects of transport of 911 to the PSAP or PSAPs serving a jurisdiction.

The Notice suggests that proposed NOC responsibilities during an outage would be limited in scope. For example, the NOC would not be expected to have omniscient situational awareness of network components outside of its control, except to the extent that it could ask for information from other parties or collected through its own network monitoring processes. Rather, these providers would serve as a hub for the collection, aggregation and communication of available information. While the NOC would be tasked with obtaining and disseminating outage information, it would not be legally responsible for adverse consequences resulting from outages or attributed with failures of network components outside of its control or for remediating or repairing such failures.

This new NOC reporting framework would not replace existing outage reporting requirements, as parties covered by existing requirements still would be required to report outages. The FCC asks, however, whether current individual provider reporting obligations would be better assigned to a single 911 NOC provider per jurisdiction. The Notice also seeks comments on processes or mechanisms that NOC providers or other covered 911 service providers can use to carry out their situational awareness responsibilities. Some examples raised for comment are use of standardized network management interfaces, alarms, and shared personnel, among others.

Facilitating the real-time exchange of information is the FCC's goal. To that end the FCC asks whether it should require 911 NOC providers or other covered providers to transmit high-level data on the status of their networks to some sort of centralized dashboard, allowing users to quickly identify disruptions in a portion of the network. If such an approach is adopted, the Notice asks about protection of the data, specifically asking how the FCC should ensure that privacy and confidentiality are protected. If a webpage is used to provide key information on the status of networks, the Notice asks about the need for and desirability of access to this data by the public, by PSAPs and by covered 911 service providers.

The FCC asks how it should support and empower providers to share information. The Notice cites improved situational awareness developed in the communications sector by the creation of the Information Sharing and Analysis Center, a public-private partnership overseen by the US Department of Homeland Security via its National Warning Center for Communications. The Notice asks whether a similar model might be applied here. Assuming such a model is adopted, the FCC asks which entities should participate, or be required to participate, beyond NOC providers. Other means of improving information sharing are suggested for comment, including a centralized database of contact information for PSAPs and state emergency offices that would be available to 911 NOC providers and other service providers for outage notification of recovery. The Notice asks whether CSRIC or the FCC or some other entity should serve as a hub for the compilation and distribution of any such centralized database.

In situations where PSAPs are served by more than one covered 911 service provider, the Notice asks whether the parties serving them should designate their specific support roles. The FCC could require covered service providers to designate a hierarchy of responsibility for support or it could encourage PSAPs and providers to negotiate that in their own service agreements. Comments are sought on the best approach. The Notice asks if there are legal or regulatory barriers that prevent or discourage 911 service providers, contractors, subcontractors and their affiliates from sharing information during a 911 outage that the FCC should consider in formulating its rules. For example, the FCC asks if there issues that preclude information sharing that the FCC should consider. Additionally, the Notice asks that any legal liability for disclosing customer information that should be identified for consideration. If there are limited or insufficient, the FCC asks whether it should extend liability protections that may already be afforded to certain entities to additional participants.

Legal Authority to Adopt a New Federal Framework. The Notice reviews a number of statutory enactments since 1999, which the FCC believes authorize it to take a leadership role in cooperative partnership with states and localities to promote reliability of 911 services nationwide. To the extent that 911 service providers are common carriers, the FCC has the ability under section 201(b) of the Communications Act to regulate their practices as just and reasonable and their facility adequacy under section 214(d). The FCC notes that section 4 of the Act also confers jurisdiction on the FCC over matters that affect the safety of life and property and allows the FCC to investigate the best methods for obtaining the cooperation and coordination of disparate systems. For any of the proposals that might affect entities not subject to specific statutory authority, the FCC states its belief that new rules would be reasonably ancillary to the FCC’s effective performances of its statutorily mandated responsibilities. The FCC seeks comment on this analysis and on any other sources of legal authority for the proposals made in the Notice.

While theoretically no one would argue about the desirability of enhanced situational awareness and information sharing in the evolving IP-based NG 911 ecosystem, there may be starkly contrasting views about how the FCC best achieves its goals without regulatory mission creep. Certainly there will be concern about the new costs and responsibilities for all “new” participants in this market that the FCC has not addressed. Managed networks and solutions providers may have contractual and operational concerns about aspects of the proposals, and states as well as PSAP organizations may become active in this debate as well.

[1] See 911 Governance and Accounting, Policy Statement and Notice of Proposed Rulemaking FCC 14-186, PS Docket No. 14-193, released November 21, 2014.


Source: Client Alert