FirstNet releases cybersecurity plan, seeks comments by Oct. 16—for now

FirstNet this week released a public notice outlining its proposed cybersecurity requirements and have asked commenters to provide their input by Oct. 16, although a FirstNet official yesterday said that the organization is considering several requests for a time extension.

Given the sensitive nature of public-safety communications, members of the public-safety communications repeatedly have cited cybersecurity as a key component for FirstNet, both from an operational and privacy perspective. High-profile data breaches in both the government and corporate sectors have focused even more attention on the cybersecurity of FirstNet.

In August, FirstNet officials speaking during the organization’s Industry Day and at the Association of Public-Safety Communications Officials (APCO) conference indicated that the FirstNet cybersecurity strategy—one of two key sections not included in the draft request for proposal (RFP) released in April—would be released in September.

Glenn Zimmerman, FirstNet’s senior security architect, emphasized that FirstNet is seeking responses that propose innovative solutions that are “going to essentially rock the cyber world.”

However, FirstNet did not release the cybersecurity public notice until Monday afternoon (click here to access the full document) and called for responses to be submitted by Oct. 16. Several industry and public-safety sources told IWCE’s Urgent Communications that responding in an 11-day time period would be very difficult, particularly if the purpose is to propose new ideas on a subject that it is as technically and legally complex as cybersecurity.

Yesterday, FirstNet acknowledged that it may extend the response deadline.

“We have received a number of requests for additional time and are considering them,” according to a statement from FirstNet spokesman Ryan Oremland.

But extending the response deadline for the cybersecurity public notice could create difficulties for FirstNet, which plans to release its final request for proposal (RFP) by the end of the year. Even with the current Oct. 16 deadline, processing and integrating the many anticipated responses to the cybersecurity public notice into the final RFP would not be a simple task. Extending the response deadline would make the endeavor more difficult, if the final RFP is going to be approved by the board and released by the end of the year.

During last week’s FirstNet board meeting, new CEO Mike Poth said that FirstNet remains on track to release the final RFP by the end of the year, but he acknowledged that the RFP could be released early in 2016, if additional time is needed to address key aspects of the document that could impact its success.

In the cybersecurity public notice, FirstNet details many of the key points that officials have noted in the past. FirstNet's key advantage is that it has the opportunity to integrate cybersecurity policies into the design of its network, instead of trying to add cybersecurity after the fact to an existing network. However, FirstNet faces a significant challenge in that it needs to provide the highest level of cybersecurity, but it has to be done in a manner that allows public safety access to the applications it needs quickly and easily, particularly when responding to emergencies.