FCC Proposes $200M Cybersecurity Pilot Program

November 15, 2023

This week, the FCC released a Notice of Proposed Rulemaking (NPRM), proposing a new $200 million Cybersecurity Pilot Program that is intended to gather data concerning cybersecurity and advanced firewalls to better inform them whether and how E-rate should eventually cover those services/equipment.  The Pilot Program will be competitive, and if selected to participate, applicants will then generally follow the same bidding/application/reimbursement process as the E-rate program.  I’ve tried to summarize below the NPRM’s proposals:

  • Timing:  The NPRM is seeking comments on 176 specific questions, with initial comments due 30 days after the NPRM is published in the Federal Register (so likely due around mid-end of December) and reply comments due 30 days after initial comments are due.  After that, the FCC will review comments and release an Order with complete program eligibility, rules and timing of the Pilot Application Window.  I would be surprised to see a final Cybersecurity Pilot Order released before late-February 2024.
  • Eligible Applicants:  Schools, libraries and consortia will be eligible to apply for consideration into the Pilot.  The FCC is seeking comments on what criteria should be used in their selection process to ensure a wide, cross selection of applicants (i.e.: large/small entity, poverty levels, fewer participants with larger requests or larger number of participants with less funding requests, faced previous cyberattacks, have knowledge or no knowledge of cyber security, already implementing CICA’s K-12 cybersecurity recommendations?).
  • Equipment/Service Eligibility:  The NPRM was not specific about what will be eligible and is seeking comment in this area.  The FCC proposes that eligible equipment/services will generally “identify and/or remediate threats that could otherwise directly impair or disrupt a school’s or library’s network, including to threats from users accessing the network remotely,” regardless of whether the equipment or services are located within a school’s or library’s classroom or other physical premises.  Equipment must be network-based (i.e., not end-user devices, including, for example, tablets, smartphones, and laptops) and services must be network-based and/or locally installed on end-user devices, where the devices are owned or leased by the school or library.  The final Order will specify an enumerated list of eligible security technologies/measures that will qualify.  (Note:  E-rate currently funds basic firewall appliances, but not advanced firewall services such as anti-virus and anti-spam software, intrusion protection and prevention devices that monitor, detect, and deter threats to a network from external and internal attacks, and other data protection services/equipment.)
  • Length of Pilot:  The Pilot will make funding available to selected participants for a three-year term (there will not be a new round of Pilot Participants selected each year).  Participants be permitted to seek funding for services/equipment to be provided over the proposed three-year term in a single application, but those costs must be supported by multi-year contract/agreement(s).
  • Funding:  $200 million total.  If selected, E-rate discounts will apply, meaning the Pilot will not cover 100% of the costs.  There is no funding cap per participant proposed, although the FCC is seeking comments on this issue.
  • Reporting Requirements:  If selected, Pilot Participants must submit an annual progress report and a final report at the conclusion of the Pilot Program.  Reports will contain information on how the Pilot funding was used, any changes or advancements that were made to the school’s or library’s cybersecurity efforts outside of the Pilot-funded services and equipment, and the number of cyber incidents that occurred each year of the Pilot Program and whether the school or library was successful in defending its broadband network and data for each incident.
  • Pilot Participant Selection Application Window/Timeline for Selection:  Interested K-12 schools and libraries will have a 60-day Pilot Application Window to apply using what will be a new, online FCC Form 484.  Applicants will describe their proposed use of Pilot funds and provide information that will facilitate the selection of Pilot Participants (see below for details that must be in the Pilot Application).  The FCC will then review all applications and select Pilot Participants within 90 days following the close of the FCC Form 484 Pilot Application Window.
  • Process if Selected for Pilot Participation:

a. Submit Cybersecurity Pilot Form 470 to competitively bid eligible equipment/services.  Wait at least 28 days prior to conducting bid evaluation.
b. Sign vendor contract
c. Submit Cybersecurity Pilot Form 471
d. USAC issues Funding Commitment Decision Letter

— Appeals must be submitted to USAC within 30 days, with a 30-day FCC appeal option (this is shorter than the E-rate appeal deadline).

e. Applicant/Service Provider submits BEAR or SPI reimbursement to USAC within 90 days of the last date to receive equipment/service (this is shorter than the E-rate reimbursement deadline).  A 90-day extension can be requested.
f. Applicant submits annual progress reports and a final report at the conclusion of the Pilot Program.

Details Required to be Submitted in FCC Form 484 Pilot Application:

a. Name, address, and contact information for the interested school or library.  For school district or library system applicants, the name and address of all schools/libraries within the district/system, and contact information for the district or library system.

b. Description of the Pilot participant’s current cybersecurity posture, including how the school or library is currently managing and addressing its current cybersecurity risks through prevention and mitigation tactics, and a description of its proposed advanced cybersecurity action plan should it be selected to participate in the Pilot Program and receive funding.

c. Description of any incident of unauthorized operational access to the Pilot participant’s systems or equipment within a year of the date of its application; the date range of the incident; a description of the unauthorized access; the impact to the K-12 school or library; a description of the vulnerabilities exploited and the techniques used to access the system; and identifying information for each actor responsible for the incident, if known.

d. Description of the Pilot participant’s proposed use of the funding to protect its broadband network and data and improve its ability to address K-12 cyber concerns. This description should include the types of services and equipment the participant plans to purchase and the plan for implementing and using the Pilot-funded equipment and services to protect its broadband network and data, and improve its ability to manage and address its cybersecurity risks.

e. Description of how the Pilot participant plans to collect and track its progress in implementing the Pilot-funded equipment and services into its cybersecurity action plan, and for providing the required Pilot data, including the impact the funding had on its initial cybersecurity action plan that pre-dated implementation of Pilot efforts.

  •  Pilot Goals:

1) improving the security and protection of E-Rate-funded broadband networks and data;
2) measuring the costs associated with cybersecurity and advanced firewall services, and the amount of funding needed to adequately meet the demand for these services if extended to all E-Rate participants; and
3) evaluating how to leverage other federal K-12 cybersecurity tools and resources to help schools and libraries effectively address their cybersecurity needs.

  • Additional Requirements of Pilot Participants:  Participants will likely be required to fully leverage the free and low-cost K-12 cybersecurity resources provided by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Department of Education (DOE), to complement the Pilot’s work and make the most effective use of Pilot Program funding.
  • Audits:  Pilot Participants will be subject to audits and other investigations to evaluate their compliance with the statutory and regulatory requirements for the Pilot, including those requirements pertaining to what services and equipment are purchased, what services and equipment are delivered, and how services and equipment are being used.

If you are interested in applying for the Cybersecurity Pilot Program, I strongly encourage you to read the NPRM in detail and consider submitting comments that will help guide the final rules.  If you need assistance with submitting comments, please let me know.  As I learn more about this initiative, I’ll send details to the listserve.

— Julie

Julie Tritt Schell
Pennsylvania E-rate Coordinator
717-730-7133 – o
jtschell@comcast.net
www.e-ratepa.org

Site designed and maintained by Silver Penny Studio