Skip to main content
Home

Main menu

  • REC Home
  • Apply
    • REC Services Rate Card & Policies
    • New FM translators (reserved band)
    • Commercial FM (Auction 114)
    • Have REC file your FCC application (All FM Svcs)
    • LPFM Construction Completed
    • FM engineering & other FCC applications
    • New FM Booster Station
    • New Class D FM Station in Alaska
    • New Low Power FM (LPFM) Station
  • Initiatives
    • RM-11846: Rural NCE Stations
    • RM-11909: LP-250 / Simple 250
    • RM-11952: Translator Reform
    • RM-11843: 8 Meter Ham Band
    • PACE - LPFM Compliance
  • Services
  • Tools
    • Today's FCC Activity
    • Broadcast Data Query
    • Field strength curves
    • Runway slope
    • Tower finder
    • FM MODEL-RF Exposure Study
    • NCE Translator Prequalification
    • More tools
    • Developers - API
    • Toybox
  • LPFM
    • Learn about LPFM
      • Basics of LPFM
      • Self Inspection Checklist
      • Underwriting Compliance Guide
      • Frequently Asked Questions
      • FCC Rules for LPFM
      • HD Radio for LPFM
      • Transmitters certified for LPFM
      • Interference from FM translators
      • RadioDNS for LPFM Stations
    • 2023 Window REC Client Portal
    • myLPFM - LPFM Station Management
    • LPFM Station Directory
    • Spare call signs
    • REC PACE Program
    • More about LPFM
  • Reference
    • Pending FCC Applications
    • FCC Filing Fees
    • Radio License Renewal Deadlines
    • FCC Record/FCC Reports
    • Pirate Radio Enforcement Data
    • Premises Info System (PREMIS)
    • ITU and other international documents
    • Recent FCC Callsign Activity
    • FCC Enforcement Actions
    • Federal Register
    • Recent CAP/Weather Alerts
    • Legal Unlicensed Broadcasting
    • More reference tools
  • LPFM Window
  • About
    • REC in the Media
    • Supporting REC's Efforts
    • Recommendations
    • FCC Filings and Presentations
    • Our Jingles
    • REC Radio History Project
    • Delmarva FM / Riverton Radio Project
    • J1 Radio / Japanese Broadcasting
    • Japan Earthquake Data
    • REC Systems Status
    • eLMS: Enhanced LMS Data Project
    • Open Data at REC
    • Our Objectives
  • Contact

Breadcrumb

  • Home

Michi on YouTube

Other tools & info

  • Filing Window Tracking
  • Enforcement Actions
  • REC Advisory Letters
  • FAQ-Knowledge Base
  • U/D Ratio Calculator
  • Propagation Curves
  • Runway Slope/REC TOWAIR
  • Coordinate Conversion
  • PREMIS: Address Profile
  • Spare Call Sign List
  • FCC (commercial) filing fees
  • Class D FM stations in Alaska
  • ARRR: Pirate radio notices
  • Unlicensed broadcasting (part 15)
  • FMmap - broadcast atlas
  • Federal Register
  • Rate Card & Policies
  • REC system status
  • Server Status
  • REC Systems Changelog
  • Complete site index

REC LPFM Advisory Letter #17: Practice of Good Network Security for EAS and other station assets.

2026 FM Translator Filing Window. Resources and REC professional services

Created December 22, 2022, Updated July 10, 2026

Following a Practice of Good Network Security assures that the assets of an LPFM or other Small Station are properly protected from cyber-attacks and other illicit activity, especially where it comes to the protection of the Emergency Alert System (EAS) decoder/encoder, which if compromised, can result in the initiation of a false alert that can create local panic, alert fatigue and require the station to initiate FCC processes in order to report the false alert.  You also want to make sure that general access to your station's air chain is also protected, especially if you are using the internet to deliver programming from the studio to the transmitter (such as using a pair of Barix boxes).

On June 25, 2026, the Commission adopted a set of simplistic rules in §11.35 that requires broadcast stations (EAS participants) to implement security controls with respect to EAS equipment, studio to transmitter links and any remotely managed equipment that routes, processes or inserts content into the broadcaster's programming.  The specific language of the rule (§11.35(d)) requires:

  • Prior to any use to broadcast to the public, broadcasters shall change any default password, use strong passwords and change any password if the broadcaster has reason to believe that the password has been compromised.
    • A strong password has a minimum of 15 characters and does not use any dictionary words.
    • Instead of using a strong password, broadcasters may use alternative authentication methods such as look-up secrets, out-of-band devices, single or multi-factor one time password.
    • Single or multi-factor cryptographic authentication.
    • Passwords should not be reused for the broadcaster’s other accounts, equipment, applications or services.
  • Install security patches and security-related software and firmware updates provided by equipment manufacturers promptly after those patches or upgrades become unavailable. Security patches and security-related software and firmware updates issued by equipment manufacturers may be tested before they are installed, providing that the testing begins promptly and is completed in a timeframe that is consistent with industry best practices.
  • Use a network firewall or comparable network segmentation practice that limits remote management access to authorized devices and authorized users.

These requirements will be in effect 60 days after the rule has been published in the Federal Register.  Compliance is expected on that day. 

In addition to making sure that you are running a current version of the EAS software/firmware, REC makes the following recommendations to assure that a station's EAS decoder is best secured on their network to prevent false alerts:

Use a firewall of other access control.  As required under the new FCC cybersecurity policy, all equipment should be behind a software or hardware firewal; to assure that only authorized users can even access the equipment to enter authenication. 

Never use static IP addresses without additional protections.  A static IP address is an IP address that is specific to the device (such as the EAS decoder).  Static IP addresses are assigned by the internet service provider (ISP) and are normally used only in institutional environments (such as universities or large corporations) or as a feature of a business grade internet service plan.  Even an EAS on a static IP address using a port number other than the standard port numbers 80 and 443 are exposed and are vulnerable.  If a static IP must be used, consider the installation of a router and placing both the EAS and a regular PC on that router.  Have the router set to port forward to the regular PC and have that regular PC running some kind of remote desktop software (VNC can be used but is not as secure as other solutions that may be available).  The user would log into the remote desktop (using a password) and then once there, they can use a web browser to access the EAS decoder's logon screen.  If a static IP must be used, it should have a firewall in place in order to limit access only from specific authorized IP addresses.

Avoid using port forwarding directly to an EAS decoder.  Most Small Stations that use regular home or small business class internet service from their ISP will normally use a dynamic IP address.  This IP address is assigned by the ISP from a pool of IP addresses and depending on the provider, can change at any time.  Users from outside would access the router through either the dynamic IP address assigned by the ISP or using a dynamic DNS service which monitors the station's IP address and permits access through using a fully qualified domain name (FQDN).  Using port forwarding in the router, the station can set up a routing based on a "port number" used after the dynamic IP or FQDN to route to the EAS decoder. Even though this method may not make the EAS decoder easily accessed, the EAS decoder remains visible using the specific port number assigned in the router.  Instead of setting up port forwarding directly to an EAS decoder, have the router set to port forward to the regular PC and have that regular PC running some kind of remote desktop software (VNC can be used but is not as secure as other solutions that may be available).  The user would log into the remote desktop (using a password) and then once there, they can use a web browser to access the EAS decoder's logon screen.  If you must use this method, incorporate firewall methods that restrict incoming access to specific authorized IP addresses.

Periodically check for EAS security updates.  It is very important, and now required by the new FCC cybersecurity policy for broadcast stations to keep up with software/firmware updates from their EAS manufacturer (as well as the manufacturer of other non-EAS equipment that is connected).  While the EAS providers may charge for major updates, many updates which are mainly intended to be "security patches" are usually provided free of charge.  For those stations using the REC Self-Inspection Checklist, you should include checking with EAS and other equipment providers to assure that your equipment is running the latest version.

Limit who can access the EAS decoder (DASDEC).  An administrator level password should only be provided to those who have a direct business need to make configuration changes to their EAS decoder.  The DASDEC does provide the ability to add additional user accounts at varying levels of access based on the user's specific business need, including a "view only" level, which cannot originate alerts.  The "view only" level can be given to station staff that may need access to view past alerts or to get EAS log information, especially in the case of an inspection. 

Limit who can access the EAS decoder (Sage).  The Sage has a user level password and an administrator level password.  The user level password permits the origination of alerts so it is recommended that only those who have a true business need to configure or operate the EAS decoder should have access to this password.  Unlike the DASDEC, there is no "view only" level of access in the Sage.

Use third party sources for newsgathering and to elaborate on previous alerts.  If the station receives and forwards an EAS alert on the air and the local air talent wishes to talk more about it on the air, instead of accessing the EAS, they should use a third party source.  REC clients with a minimum spend have access to such a screen through our myLPFM portal that permits air talent to visit a web page without a password requirement to show details of unexpired EAS alerts as well as other National Weather Service bulletins that did not trigger an EAS alert.  Unexpired alert (EAS and non-EAS) details are also available at recnet.com/cap.

Periodicially change passwords (Sage).  While this is not as much of an issue with the DASDEC, which can provide access at a specific user level which does not have to be shared between multiple people, this is a major vulnerability for the Sage as it only has a single user and administrative password that must be shared among all users who have a need to know.  Periodic changing of this password at either certain intervals or when someone leaves the station is very prudent to assuring the EAS remains secure. 

Disable the front panel demo alerting function (DASDEC).  The DASDEC offers a method where a demonstration alert can be sent over the air by the pushing of a front panel button.  This functionality can be disabled in the web interface using an administrator level password.  While the demo alert function is good for off-air testing of the equipment, it should not be used.  Even if the front panel function is disabled, these demo alerts can still be initiated by a higher user level from the web interface.

Immediately change default passwords.  EAS units are shipped with default passwords and sometimes systems may revert to default passwords for factory resets and software/firmware updates.  Make sure that as soon as unit is installed or otherwise has the password changed back to the defaults, they are immediately changed back to discrete passwords in order to prevent malicious access.  Also, if your station uses Barix boxes or other equipment that connects directly to the internet, make sure that you change those default passwords before putting the equipment into production service to prevent unauthorized access and program hijacking.

Use strong passwords.  Per the new Commission standard, a strong password should be at least 15 characters in length and should avoid words that you may find in the dictionary. 

Keeping passwords secure.  Passwords (especially for the Sage) should not be posted in conspicuous places.  They should be kept written in a secure location that is not easily seen by any visitor or any other unauthorized person.  While we all know that keeping a house key under the doormat is not very secure, hanging the key on the front door is asking for trouble.  Same thing here. 

Place the EAS in the studio site instead of at a remote transmitter site. Placing the EAS at a remote transmitter site requires there to be an internet connection established in order to maintain the EAS if the person is not physically at the transmitter site.  Because of limited rack space at some transmitter site installations, there may be no provision to place a computer at the transmitter site to access a remote desktop to access the EAS (plus the presence the equipment at a shared site may pose some additional risks).  It is always best to have the EAS in the audio chain on the studio side before the program audio leaves the main studio location.  If a DASDEC must be installed at the transmitter site, make sure the front panel demo alert mode is disabled.

Use two-factor authentication methods if they are ever offered.  Two-factor authentication is an additional level of security where if someone does enter the password for the EAS decoder, the system would send an email to the authorized user with a confirmation code that must be entered. Currently, neither the DASDEC nor the Sage provide two-factor authentication, but this is something that REC is pushing for as a potential solution to protect EAS decoders from false alerts due to cyber-attacks.  If these features are ever offered, we strongly suggest their use.  Other equipment or services may offer this level of security.  It is also very important to assure that email addresses in your organization are "evergreen" (does not change when staff changes).  Likewise, if there is a change in the organization where emails or phone numbers do change, make sure that you also update equipment and services that use two factor authentication to assure that the correct email or phone number is receiving the authentication codes.

Use your EAS decoder's email functionality. Both the DASDEC and the Sage have the capability to email reports to one of more specific email addresses.  Both the DASDEC and Sage can send alert logs, alert notifications and errors.  We strongly recommend that in lieu of accessing the EAS decoder to get log information that the email logs sent by the EAS decoder are printed and retained as part of the station's log.  That way they can be easily reviewed by FCC staff in the event of an inspection or investigation without having to wait for a specific staff member who knows the EAS password.  Like we suggest with two-factor authentication, please make sure you either have evergreen email addresses or you keep your equipment up to date with the current email address of the person responsible for monitoring notifications. 

Practice good common sense network security at the station.  Assure that station assets are only used for station business and that computers are only equipped with the applications necessary to run the station.  Develop policies to make clear that staff or volunteers should not use station computers to access their own emails and download attachments and to use due diligence when receiving an email with an attached file from an unknown external source.  This basic security can prevent stations from experiencing malware, spyware, ransomware and other major security risks. 

The station is your castle, make sure you are protecting it as much as possible.

REC Essentials

  • FCC.TODAY
  • FCCdata.org
  • myLPFM Station Management
  • REC site map

The More You Know...

  • Unlicensed Broadcasting
  • Class D Stations for Alaska
  • Broadcasting in Japan
  • Our Jingles

Other REC sites

  • J1 Radio
  • REC Delmarva FM
  • Japan Earthquake Information
  • API for developers

But wait, there's more!

  • Join NFCB
  • Pacifica Network
  • MICHI-FM: slightly off the deep end
  • Report a bug with an REC system

Copyright © REC Networks/Riverton Radio Project Association - All Rights Reserved
EU cookie policy

Please show your support by using the Ko-Fi link at the bottom of the page. Thank you for supporting REC's efforts!