In a direct response to a string of cyberattacks where bad actors exploited unsecured broadcast equipment to inject unauthorized audio, the FCC is moving to lock down the nation’s emergency alert infrastructure, and radio stations are on the clock to comply.
A Report and Order circulated ahead of the Commission’s June 25 open meeting would require all Emergency Alert System Participants, including radio broadcasters, to immediately implement three baseline cybersecurity measures: change all default passwords on EAS equipment before going to air, promptly install security patches and firmware updates as they become available, and place EAS equipment behind a network firewall or comparable segmentation practice that blocks unauthorized remote access.
The FCC cited incidents at ESPN 97.5 in Houston and a Richmond-area NPR affiliate among recent examples.
The Commission framed the three requirements as a minimum baseline rather than a comprehensive framework, explicitly pulling back from a broader cybersecurity risk management plan mandate it had proposed in 2022 that drew industry pushback over cost and complexity. The order estimates compliance costs at no more than $1,000 per station and roughly 10 hours of labor per entity per year.
Alongside the cybersecurity rules, the FCC released a Further Notice of Proposed Rulemaking seeking comment on a broader EAS and Wireless Emergency Alert modernization agenda. Proposals include requiring digital signature authentication for all CAP-formatted EAS alerts, establishing a universal alert message identifier to suppress duplicate alerts, tightening WEA geotargeting by eliminating outdated exceptions tied to legacy networks and disabled location services, and requiring alert symbols to accompany EAS and WEA messages to aid comprehension.
The FNPRM also seeks comment on text-to-speech readout for earthquake alerts and the retirement of the 90-character WEA message requirement.
In a win for the NAB, the Commission formally granted NAB’s March 2025 petition to allow software-based EAS processing as an alternative to dedicated hardware, opening a rulemaking on the issue and proposing a certification framework for EAS software. iHeartMedia submitted comments in the proceeding advocating for resilience as a fourth core alerting goal, arguing that systems must remain functional when other emergency communications go down.
The cybersecurity rules take effect 90 days after publication in the Federal Register. Comment deadlines for the FNPRM are 30 and 60 days after Federal Register publication.
