The Federal Communications Commission adopted new cybersecurity requirements for the Emergency Alert System on June 25, turning years of guidance about alerting equipment into enforceable baseline rules for broadcasters, cable systems, and other EAS participants.
The rules are deliberately narrower than the broader cybersecurity framework the FCC floated in 2022. Instead of requiring full risk-management programs across alerting providers, the commission focused on three repeatedly exploited weaknesses: default or weak passwords, delayed software and firmware patching, and emergency-alert equipment exposed to the public internet.
Once the rule changes are published in the Federal Register, EAS participants will have 60 days to comply. The short deadline reflects the FCC’s view that these are basic controls for a public-warning system, not a long-term modernization project.
What The FCC Is Requiring
The first requirement is password hygiene for EAS equipment, studio-transmitter link equipment, and any remotely managed system that routes, processes, or inserts content into a participant’s programming stream. Default passwords must be changed before the equipment is used for public broadcasts. Passwords must be at least 15 characters long, avoid dictionary words, and not be reused across other accounts, devices, applications, or services.
The FCC is also allowing participants to use alternative authentication methods if they are strong enough to reduce unauthorized-access risk. The order points to National Institute of Standards and Technology guidance, including one-time passwords and cryptographic authentication, rather than locking every operator into one password-only approach.
The second requirement is prompt patching. When security patches or firmware and software updates become available for covered EAS or remotely managed broadcast equipment, participants must download and install them promptly. Operators may test updates first to avoid breaking alerting workflows, but the FCC says testing must begin promptly and finish on a timeline consistent with industry best practices.
The third requirement is network isolation. EAS participants must place covered systems behind a firewall or use comparable segmentation so remote management access is limited to authorized devices and users. The order explicitly names approaches such as a dedicated VLAN, a demilitarized zone, a physically isolated management network, router rules that block inbound public internet access, or other controls that keep EAS equipment off the open internet.
Why Alerting Equipment Became A Cybersecurity Issue
The FCC’s order is rooted in a simple operational problem: some of the equipment used to relay emergency alerts has been managed like ordinary broadcast gear, even though a compromise could trigger a false warning or prevent a real warning from reaching the public.
The commission cited earlier incidents involving hoax radio broadcasts, false alerts about a radiological hazard sent to cable subscribers, and broadcast audio equipment hijacks. It also noted that successful attacks have continued into 2026 despite earlier FCC and FEMA warnings telling EAS participants to secure their equipment, apply patches, and remove default credentials.
The technical path is not exotic. Default credentials on encoders and related devices can be found online. Outdated firmware can leave known vulnerabilities reachable for years. Remote management interfaces exposed directly to the internet let attackers find equipment with common scanning tools. In the FCC record, REC Networks identified 730 EAS participant servers exposing a password screen for Sage Alerting Systems’ ENDEC device, including 288 using port 80, the default port for HTTP web service.
That combination makes emergency alert cybersecurity less about speculative nation-state techniques and more about basic operational hygiene. If a device that can insert alert tones or warning messages is reachable from the public internet with a weak or factory-set password, the public-warning system inherits the same risks as any unmanaged connected device, but with higher consequences.
The FCC Chose A Narrower Path Than Its 2022 Proposal
The commission terminated its 2022 alerting-security proposal, which would have required broader cybersecurity risk-management plans. The new order says that approach would have imposed higher costs, especially on small and noncommercial broadcasters, while not necessarily producing enough additional benefit for the alerting system itself.
That tradeoff matters because the EAS ecosystem includes large media companies, small local broadcasters, cable operators, and other participants with very different technical staff and budgets. The FCC’s replacement approach aims at the controls most directly tied to known failures: changing default passwords, patching known vulnerabilities, and keeping management interfaces away from the public internet.
The order still leaves room for stronger security programs. Organizations that already use more mature access controls, segmentation, monitoring, or managed vulnerability programs can keep them. The FCC is setting a floor, not treating the three controls as the ceiling for alerting-system security.
Wireless Emergency Alerts Are Mostly A Separate Question
The FCC’s cybersecurity requirements focus on EAS participants, not a broad new security mandate for Wireless Emergency Alerts. The order says best practices remain the current fit for WEA cybersecurity, partly because the record did not show successful WEA attacks that would justify heavier new requirements.
That does not mean mobile alerting is finished. The same FCC item includes a further notice that asks about additional modernization for EAS and WEA, including ways to make alerts more useful for emergency managers and less burdensome for providers. For now, the cybersecurity compliance clock is mainly a broadcast and cable alerting issue.
What Operators Should Do Now
For EAS participants, the practical first step is an inventory. Operators need to identify EAS encoders and decoders, studio-transmitter link equipment, IP audio devices, routers, remote-access tools, and any other managed systems that can affect whether alerting content is routed or inserted into programming.
From there, the checklist is direct: remove default credentials, replace weak or shared passwords, verify that no password is reused elsewhere, confirm firmware and software versions, install available security updates, and document any testing needed before production deployment. Internet-facing management pages should be closed, firewalled, or moved behind segmented management access.
Small broadcasters should not treat the 60-day compliance window as extra time to wait. The work may be simple in many environments, but older gear, undocumented network paths, inherited passwords, and used equipment can slow down a clean audit. The FCC specifically mentioned gray-market EAS devices that may arrive with old firmware or retained credentials, making secondhand hardware a special risk.
The broader lesson is that emergency alerting is now part of the same critical-infrastructure security conversation as telecom networks, submarine cables, cloud platforms, and public-sector systems. A false alert can damage public trust. A blocked alert can put people at risk. The FCC’s new rules make the minimum expectation plain: equipment that carries public warnings has to be managed like security-sensitive infrastructure.
Sources: FCC alerting systems order, FCC June 2026 alerting systems draft order and fact sheet, TV Tech coverage, and Wikimedia Commons image page.
