FCC Will Launch Cybersecurity Pilot Program for Schools and Libraries
Friday, June 14, 2024
Weekly Digest
FCC Will Launch Cybersecurity Pilot Program for Schools and Libraries
You’re reading the Benton Institute for Broadband & Society’s Weekly Digest, a recap of the biggest (or most overlooked) broadband stories of the week. The digest is delivered via e-mail each Friday.
Round-Up for the Week of June 10-14
In 2023, Federal Communications Commission Chairwoman Jessica Rosenworcel called for a new Learn Without Limits Initiative spearheaded by the FCC. Initially, this meant expanding E-Rate––a Universal Service Fund program that helps to make telecommunications services more affordable for schools and libraries––funding to support Wi-Fi on school buses and Wi-Fi hotspots at libraries, school libraries, and schools for patrons or students in need. Now the initiative has expanded to encompass a variety of actions to close the Homework Gap. The most recent action, adopted on June 6, 2024, is the three-year, $200 million Schools and Libraries Cybersecurity Pilot Program. Here we take a quick look at the program's requirements, scope, timeline, and opportunities for schools and libraries.
About the Cybersecurity Pilot Program
The Schools and Libraries Cybersecurity Pilot Program will help the FCC evaluate whether, and to what extent, the Commission should leverage the Universal Service Fund (USF) to support the cybersecurity needs of schools and libraries. By proceeding via a short-term pilot program, the FCC aims to gather key data on the types of cybersecurity services and equipment that K-12 schools and libraries need to protect their broadband networks and securely connect students, school staff, and library patrons to advanced communications that are integral to education. The Pilot Program will evaluate whether supporting cybersecurity services and equipment with universal service funds advances the key universal service principles of providing quality Internet and broadband services to K-12 schools and libraries at just, reasonable, and affordable rates; and ensuring schools’ and libraries’ access to advanced telecommunications.
The Pilot Program will also enable the FCC to better estimate the costs of supporting cybersecurity services and equipment via the USF, which will help inform future decisions on how to best utilize the USF to support the connectivity and network security needs of K-12 schools and libraries. Data and information collected through the Pilot Program may also aid in the considerations of broader efforts across the government to help schools and libraries address their cybersecurity concerns.
The FCC acknowledges that other federal partners—including the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Education—have jurisdiction and deep expertise on cybersecurity matters. The FCC foresees continued interagency coordination to leverage its knowledge and resources to explore how the Commission can contribute to addressing the cybersecurity needs of K-12 schools and libraries.
The ongoing development of innovative digital learning technologies—and with that the continued need to connect students, school staff, and library patrons to digital opportunities—have led to a steady rise in the demand for bandwidth in schools and libraries. However, the shift to modern connectivity has brought with it increased cybersecurity threats and attacks, particularly for K-12 schools and libraries. Schools and libraries are therefore vulnerable to increased cybersecurity threats and attacks, often leading to the disruption of school and library operations, loss of learning, reductions in available bandwidth, significant monetary losses, and the leaking and theft of students’, school staff members’, and library patrons’ personal information and confidential data. Because they are data-rich environments that lack resources and advanced cybersecurity protections, schools and libraries will continue to be targets for malicious cybersecurity activities.
Who is Eligible?
Generally, the schools and libraries that are eligible to participate in the FCC's E-Rate program are also eligible to participate in the Schools and Libraries Cybersecurity Pilot Program.
Schools
Elementary and secondary schools are eligible for Pilot Program funding, excluding for-profit schools and those with an endowment exceeding $50,000,000. An “elementary school” is defined as a non-profit institutional day or residential school, including a public elementary charter school, that provides elementary education, as determined under state law. A “secondary school” is defined as a non-profit institutional day or residential school, including a public secondary charter school, that provides secondary education, as determined under state law except that the term does not include any education beyond grade 12.
Libraries
Eligible libraries include:
- A public library;
- A public elementary school or secondary school library;
- A Tribal library;
- An academic library;
- A research library, which for the purpose of this section means a library that:
- Makes publicly available library services and materials suitable for scholarly research and not otherwise available to the public; and
- Is not an integral part of an institution of higher education; and
- A private library, but only if the state in which such private library is located determines that the library should be considered a library for the purposes of this definition.
The Pilot Program is open to all eligible schools and libraries, including those that do not currently participate in the E-Rate program. The FCC acknowledges that all schools and libraries currently face increased cybersecurity threats and attacks regardless of whether they receive E-Rate funding, and opening the Pilot Program to all eligible schools and libraries will allow the Commission to gather data from the widest range of eligible participants.
Consortia
A “consortium” is any local, Tribal, statewide, regional, or interstate cooperative association of schools and/or libraries eligible for Schools and Libraries Cybersecurity Pilot Program support that seeks competitive bids for eligible services or funding for eligible services on behalf of some or all of its members. A consortium may also include healthcare providers, and public sector (governmental) entities, including, but not limited to, state colleges and state universities, state educational broadcasters, counties, and municipalities, although such entities are not eligible for support.
A “library consortium” is any local, statewide, Tribal, regional, or interstate cooperative association of libraries that provides for the systematic and effective coordination of the resources of schools, and public, academic, and special libraries and information centers, for improving services to the clientele of such libraries.
Consortia have buying power that can help bring down costs and including consortia in the Pilot Program would allow larger, better-resourced schools and libraries to partner with smaller, less technically savvy participants. Given the limited funding for the Pilot Program and the FCC's objective to select as many participants as possible, the Commission will allow a school or library to apply and participate only once in the Pilot Program, either individually or as part of a consortium.
Each consortium seeking support must identify an entity or organization that will lead the consortium. The Consortium Leader may be an eligible school or library participating in the consortium; a state organization; public sector governmental entity, including a Tribal government entity; or a non-profit entity that is ineligible for support under this subpart. Ineligible state organizations, public sector entities, or non-profit entities may serve as Consortium Leaders or provide consulting assistance to consortia only if they do not participate as potential service providers during the competitive bidding process. An ineligible entity that serves as the Consortium Leader must pass through the full value of any discounts, funding, or other program benefits secured to the eligible schools and libraries that are members of the consortium.
What's the Timeline and How Will the Funds be Spent?
The FCC established the Pilot Program as a three-year program in order to provide the Commission the time to evaluate whether universal service support should be used to fund cybersecurity services and equipment on a permanent basis. Funding will begin when selected Pilot participants are first eligible to receive eligible services and equipment (i.e., from the date of the first funding commitment decision letter).
The FCC also adopted a funding cap of $200 million over three years for the Pilot Program. To provide funding for the program, and to minimize the impact on the contribution factor, the FCC will assign unused E-Rate funds from prior funding years to cover the full $200 million cap.
The FCC adopted fixed per-student and per-library budgets to determine the amount of funding that participants may receive during the Pilot. A 2021 cost study submitted jointly by Funds For Learning (FFL), the Consortium for School Networking (CoSN), and others estimated it would cost approximately $13.60 per student annually to support advanced or next-generation firewall services, $16.20 per student annually to support endpoint security and protection, and $14.50 per student annually to support additional, advanced cybersecurity services and equipment.
Schools and School Districts
At a minimum, each eligible school or school district will receive $15,000. Schools and school districts with 1,100 students or fewer will be eligible to receive the $15,000 funding floor. For schools and school districts with more than 1,100 students, the budget is calculated using the pre-discount price $13.60 per-student multiplier, subject a budget maximum of $1.5 million.
The FCC recognizes that for many schools a pre-discount annual budget of $13.60 will not be sufficient to fund all of the school’s cybersecurity needs to achieve a fully mature cybersecurity posture, as doing so would typically require a school to implement multiple categories of technical solutions, often in a specific priority order. Given the limited Pilot funding available, the FCC's approach instead ensures that each participating school will receive funding to prioritize implementation of solutions within one major technological category, enabling the school to make meaningful progress toward its own cybersecurity goals and providing flexibility for schools with differing cybersecurity strengths and vulnerabilities.
Libraries and Library Systems
Each eligible library will receive a minimum of $15,000. Library systems with more than 11 sites will be eligible for support up to $175,000. Rather than adopt a per-user budget, as the FCC has for schools and school districts, or a budget based on library square footage as done for category two E-Rate funding requests, the FCC adopts a budget that provides a set amount of funding per library to purchase cybersecurity services and equipment.
Consortia
Consortia comprised of eligible schools and libraries will be eligible to receive funding based on student count, using the pre-discount $13.60 per student multiplier, and the number of library sites, using the $15,000 per library budget. Consortia solely comprised of schools or comprised of both eligible schools and libraries are subject to the $1.5 million budget maximum for schools and school districts. Consortia solely comprised of libraries will be subject to the $175,000 budget maximum for library systems. The FCC will also require each consortium to select a consortium leader.
Sharing Costs, Disbursement of Support, and Funding Needs
The FCC will require participants to contribute a portion of the costs of the cybersecurity services and equipment they seek to purchase with Pilot Program support, similar to the non-discount share that E-Rate applicants are required to contribute to the cost of their eligible services and equipment. Participants will use their E-Rate Category One––or, support for broadband connectivity to schools and libraries––discount rate to determine the non-discount share of costs. Thus, participants with students with the greatest need will be eligible for support for 90 percent of their costs, and will be required to contribute 10 percent of the cost of eligible cybersecurity services and equipment purchased with Pilot Program funds. By using the Category One discount rate, the program’s neediest schools and libraries will have greater flexibility in selecting eligible services and equipment, thus supporting the goal of evaluating the benefits of supporting advanced firewalls and cybersecurity services using the USF.
The FCC will permit Pilot participants to request reimbursement as expenses are incurred, even if it means that a greater amount of funding is disbursed earlier in the three-year Pilot term than is specified by annual budgets, so long as the overall disbursement to a participant over the course of the three-year Pilot term does not exceed three times the annual budget. The FCC acknowledges that some participants may face greater up-front costs for the services and equipment needed to implement their cybersecurity plans, whereas others may have ongoing recurring costs, or some combination of both.
The FCC expects the benefits of the Pilot Program to exceed the costs. As a threshold matter, the FCC notes that program participation by applicants, participants, and service providers is voluntary, and the FCC expects that Pilot participants will carefully weigh the benefits, costs, and burdens of participation to ensure that the benefits outweigh their costs. The Pilot Program will therefore enable the FCC to evaluate the benefits of using universal service funding to fund cybersecurity services and equipment against the costs before deciding whether to support it on a permanent basis.
What Services are Eligible or Ineligible for Funding?
Pilot participants should have, the FCC says, flexibility to determine which solutions best serve their needs by basing eligibility on broader considerations, rather than a specific and potentially rigid set of pre-authorized components. The FCC's approach is to “provide general guidance for applicants, but not lock them into specific technology products.” Eligible service include the advanced or next-generation firewalls, endpoint security and protection, and other advanced security services and equipment identified by E-Rate stakeholders, including FFL and CoSN. The FCC aims to “establish general categories of eligible offerings” without “specify[ing] the precise technologies or solutions that must be relied upon” and allow “[p]ilot participants to select any product and/or services that fall into any of the eligible categories.”
Given this wide view of eligible equipment, the FCC offers four broad categories of eligible equipment under the Pilot Program.
1. Advanced and Next-Generation Firewalls
The FCC enables Pilot participants to protect their networks from outside cyber attackers by blocking malicious or unnecessary network traffic. For purposes of the Pilot, the Commission defines an “advanced” or “next-generation” firewall as “equipment, services, or a combination of equipment and services that limits access between networks, excluding basic firewall services and components that are currently funded through the E-Rate program.”
Funding some level of training, the FCC says, will help to ensure that the Pilot-funded equipment and services are used effectively and for maximum benefit. Accordingly, the Commission makes training eligible on terms similar to those in E-Rate, namely, when the training is included “as a part of installation services but only if it is basic instruction on the use of eligible equipment, directly associated with equipment installation, and is part of the contract or agreement for the equipment” and if it “occur[s] coincidently or within a reasonable time after installation.”
2. Endpoint Protection
The FCC makes endpoint protection, including anti-virus, anti-malware, and anti-ransomware, services, and equipment eligible in the Pilot so that participants can protect their networks from potential vulnerabilities introduced by desktops, laptops, mobile devices, and other end-user devices that connect to their networks. For the purposes of the Pilot, the FCC defines endpoint protection as “equipment, services, or a combination of equipment and services that implements safeguards to protect school- and library-owned end-user devices, including desktops, laptops, and mobile devices, against cybersecurity threats and attacks."
3. Identity Protection and Authentication
The FCC also makes identity protection and authentication tools eligible in the Pilot so that participants can prevent malicious actors from accessing and compromising their networks under the guise of being legitimate users. Such tools may include DNS/DNS-layer security, content blocking and filtering/URL filtering, multi-factor authentication (MFA)/phishing-resistant MFA, single sign-on (SSO), and event logging. For the purposes of the Pilot, the FCC defines identity protection and authentication as “equipment, services, or a combination of equipment and services that implements safeguards to protect a user’s network identity from theft or misuse and/or provide assurance about the network identity of an entity interacting with a system.”
4. Monitoring, Detection, and Response
The FCC makes network monitoring, detection, and response, including the use of security operations centers (SOCs) for managed cybersecurity services, eligible in the Pilot so that participants can promptly and reliably detect and neutralize malicious activities that would otherwise compromise their networks. For purposes of the Pilot, the Commission defines monitoring, detection, and response as “equipment, services, or a combination of equipment and services that monitor and/or detect threats to a network and that take responsive action to remediate or otherwise address those threats.”
Ineligible Equipment
The FCC imposes a number of limitations on eligibility to ensure the efficient and appropriate use of the limited Pilot funds, and to avoid duplicative funding, protect against waste, fraud, and abuse, and stretch the limited support available through the Pilot. First, the FCC makes ineligible for the Pilot funding any services, equipment, or associated cost that is already eligible through the E-Rate program. The FCC similarly makes ineligible for Pilot funding any service, equipment, or associated cost for which an applicant has already received full reimbursement, or plans to apply for full reimbursement, through any other USF or federal, state, Tribal, or local government program through which reimbursement is sought. Participants may, however, use Pilot funding to support Pilot-eligible services and equipment that participants were previously paying for themselves, subject to our competitive bidding rules, as this will allow the Commission to evaluate the efficacy of using universal service funding to support cybersecurity services and equipment, while potentially freeing up funding for participants to use for other needs.
The FCC finds that limiting eligibility in this manner ensures that the Commission maximizes the use of the limited Pilot funding by eliminating the provision of redundant or duplicative support for the same cybersecurity services and equipment funded through other sources. It will also maximize the data and information the Commission is able to collect on new services and equipment not already funded through E-Rate or other programs, thus efficiently using Pilot resources to best inform any potential Commission action based on the Pilot data. As is customary in E-Rate, the FCC requires Pilot participants to perform a cost allocation to remove from their funding requests costs associated with ineligible components or functions of an otherwise eligible equipment or service.
The FCC limits eligibility to “equipment that is network-based (i.e., that excludes end-user devices, including, for example, tablets, smartphones, and laptops) and services that are network-based and/or locally installed on end-user devices, where the devices are owned or leased by the school or library,” and to equipment and services that are “designed to identify and/or remediate threats that could otherwise directly impair or disrupt a school’s or library’s network, including to threats from users accessing the network remotely.” “Network-based” services include those that are cloud-based and server-based.
The FCC also deems ineligible (i) staff salaries and labor costs for a participant’s personnel and (ii) beneficiary and consulting services that are not related to the installation and configuration of the eligible equipment and services. The FCC also applies the Secure and Trusted Communications Networks Act of 2019 to Pilot participants by prohibiting these participants from using any funding obtained through the program to rent, lease, or otherwise obtain any of the services or equipment on the Commission's Covered List or to maintain any of the services or equipment on the Covered List that was previously purchased, rented, leased, or otherwise obtained.
What are the Next Steps for Potential Program Participants?
The FCC plans to provide an FCC Form 484 application that applicants must use when submitting their project proposals to the Commission. Applicants will be required to complete each section of the first part of the application and make the required certifications. The FCC has designated USAC as the Administrator of the Pilot Program. The applications for the Pilot Program must be submitted through the Pilot portal on USAC’s website.
To be considered for the Pilot Program, an applicant must complete and submit part one of the FCC Form 484 application describing its proposed Pilot project and providing information to facilitate the evaluation and eventual selection of high-quality projects for inclusion in the Pilot. Specifically, the applicant must explain how its proposed project meets the considerations outlined in the FCC's report and order. In addition, the applicant must present a clear strategy for addressing the cybersecurity needs of its K-12 school(s) and/or library(ies) pursuant to its proposed Pilot project, and clearly articulate how the project will accomplish the applicant’s cybersecurity objectives.
The FCC anticipates that successful applicants will be able to demonstrate that they have a viable strategic plan for providing eligible cybersecurity services and equipment directly to the school(s) and/or library(ies) included in their proposed Pilot projects. Further, the Commission expect applications to be tailored to the unique circumstances of each applicant. USAC and/or the FCC's Wireline Competition Bureau may disqualify from consideration for the Pilot those applications that provide a bare minimum of information or are generic or template in nature.
To facilitate the inclusion of a diverse set of Pilot projects and to target Pilot funds to the populations most in need of cybersecurity support, particularly those with minimal or no cybersecurity protections today, the FCC anticipates selecting projects from, and providing funding to, a combination of large and small and urban and rural schools, libraries, and consortia, with an emphasis on funding proposed Pilot projects that include low-income and Tribal applicants.
The FCC's Wireline Competition Bureau will announce the opening of the Pilot Participant Selection Application Window for participants to submit their applications. The filing period shall begin and conclude on dates to be determined by the Wireline Competition Bureau.
For more information about the Schools and Libraries Cybersecurity Pilot Program, visit the FCC's full Report and Order.
Quick Bits
- Rep Gallego Introduces Bill to Extend, Improve the Affordable Connectivity Program
- Sen Gillibrand Announces Legislation To Renew The Affordable Connectivity Program, Provide Low-Cost Internet To Nearly Two Million New York Households
- Blueprints for BEAD: Stakeholders May Use Rebuttal Power to Prevent New Errors in BEAD Maps
- FCC’s $8 Billion Phone Subsidy Survives Supreme Court Challenge
Weekend Reads
- Understanding uptake in demand-side broadband subsidy programs: The affordable connectivity program case
- The unique challenge of bringing broadband to rural America
- NTIA, FCC, Navy Work to Expand Innovative 3.5 GHz Spectrum Sharing Framework
- How Americans Get News on TikTok, X, Facebook and Instagram
ICYMI from Benton
- Ten Things About ACP that Ted Cruz Cares About—And Ten Answers that Could Help Reshape How We Think About the Program
- What Are ISPs Offering Consumers after ACP?
- Neighborly Networks: Vermont’s Approach to Community Broadband
- Pennsylvania's Plan for Affordable Broadband
- Connections and Collaboration in the Mountains
Upcoming Events
Jun 17––Virtual Tribal Consultation (FCC)
Jun 18––Executive Session (Senate Commerce Committee)
Jun 18––Broadband Bootcamp 2.0 (Appalachian Regional Commission)
Jun 18––Announcing CBRS 2.0 (New America)
Jun 18––Listening Session with Formerly Incarcerated People (FCC)
Jun 18––Connecting Missouri: Show Me Digital Equity! (Marconi Society)
Jun 19––Juneteenth National Digital Equity Bible Study (Black Churches 4 Digital Equity Coalition)
Jun 20––Broadband Data Today (Appalachian Regional Commission)
Jun 21––Technological Advisory Council Meeting (FCC)
Jun 25––Arkansas BEAD Digital Opportunity Conference (Arkansas State Broadband Office)
Jun 25––5x5 Summit: The Public Safety Innovation Summit (Department of Commerce)
Jun 25––Navigating Broadband for Communities with Differing Resources and Capacity (Appalachian Regional Commission)
Jun 26––Consumer Advisory Committee Meeting (FCC)
Jun 27––Building Great Digital Equity Programs using the Digital Navigator Model (Appalachian Regional Commission)
Jun 27––Digital Equity for Small and Rural Communities (NTIA)
Jun 27––Power of Partnership: State Strategies for Digital and Educational Equity (Benton Institute for Broadband & Society)
Jul 2––Filling in the Holes after BEAD (Appalachian Regional Commission)
Jul 10––Power of Partnership: State Strategies for Digital and Educational Equity (Benton Institute for Broadband & Society)
Jul 18––July 2024 Open Federal Communications Commission Meeting (FCC)
The Benton Institute for Broadband & Society is a non-profit organization dedicated to ensuring that all people in the U.S. have access to competitive, High-Performance Broadband regardless of where they live or who they are. We believe communication policy - rooted in the values of access, equity, and diversity - has the power to deliver new opportunities and strengthen communities.
© Benton Institute for Broadband & Society 2024. Redistribution of this email publication - both internally and externally - is encouraged if it includes this copyright statement.
For subscribe/unsubscribe info, please email headlinesATbentonDOTorg