TIA is helping states navigate BEAD cybersecurity requirements

As states draft their initial proposals for the Broadband Equity, Access and Deployment (BEAD) program, the Telecommunications Industry Association (TIA) is striving to help broadband offices tackle the cybersecurity aspect of the BEAD guidelines. Essentially, states must verify the vendors and suppliers to whom they award contracts have “adequate” cybersecurity and supply chain risk management (C/SCRM) plans. As for what exactly those requirements are, TIA CEO Dave Stehlin said it’s a “very long” and complicated answer. Stehlin explained the BEAD Notice of Funding Opportunity (NOFO) refers to four federal government documents on the subject of C/SCRM, including the NIST Cybersecurity Framework and Biden’s executive order from September 2022 on enhancing the supply chain. Each document is referred to “as being baseline requirements in BEAD.” TIA created a checklist state broadband offices can use to “operationalize these guidelines – something that you can touch and feel and measure.” States can then map those requirements to TIA’s Supply Chain Security Standard (or SCS 9001). Some of the questions on the checklist include:

• Does the organization identify cybersecurity roles and responsibilities of its workforce, including third party partners like suppliers and consultants?
• Does the organization have a Business Continuity Plan that enables the rapid recovery of normal business operations after a cyberattack or other disaster?
• Does the organization understand all legal and regulatory requirements under which it is expected to operate?

While Stehlin couldn’t say how many states have adopted the checklist, he noted TIA is dealing with “probably half of the states or more right now, at different speeds and different levels.”