AVL Blog - Communications Law & Technology

View Original

FCC Proposes Creation Of Schools And Libraries Cybersecurity Pilot Program - $200 Million In Funding Over Three Years

November 13, 2023 – The Federal Communications Commission (FCC) has released a Notice of Proposed Rulemaking (NPRM) that proposes the creation of a Schools and Libraries Cybersecurity Pilot Program.[1]

If ultimately approved, the Pilot Program will provide universal service funding “to eligible K-12 schools and libraries to defray the qualifying costs of receiving the cybersecurity and advanced firewall services needed to protect their E-Rate-funded broadband networks and data from the growing number of K-12 school- and library-focused cyber events.”[2]

Comments on the NPRM are due on or before 30 days after the NPRM is published in the Federal Register. Reply comments are due 60 days after publication.

Background – E-Rate & Cybersecurity

In the last few years, K-12 schools and libraries have increasingly become targets of cyberattacks. According to data cited by the FCC in the NPRM, “[r]ecent information shows that schools and libraries are vulnerable to increased cyber threats and attacks, often leading to the disruption of school and library operations, loss of learning, reductions in available bandwidth, significant monetary losses, and the leaking and theft of students’, school staff members’, and library patrons’ personal information and confidential data.”[3]

While the E-Rate program currently funds basic firewall service provided as part of a category one Internet service, it does not directly fund advanced firewall services or other similar cybersecurity services products. Going back at least a decade, the FCC has consistently “declined to fund advanced firewall services or to extend basic firewall services to include anti-virus and anti-spam software, intrusion protection and prevention devices that monitor, detect, and deter threats to a network from external and internal attacks, and other services to protect networks, and removed virtual private networks (VPN) and other data protection services from the E-Rate eligible services list.”[4] However, due to the growing amount of cyber threats to schools and continued pressure from E-Rate stakeholders, the FCC is now taking the first step toward allowing E-Rate program support for cybersecurity and advanced firewall services.

NPRM: Key Details Of The Proposed Schools And Libraries Cybersecurity Pilot Program

Below is a high-level summary of key details of the proposed Schools and Libraries Cybersecurity Pilot Program. The FCC is seeking comment on all aspects of the proposed program.

Pilot Program Budget:  The FCC proposes a total budget of $200 million over the three-year duration of the proposed program.[5] The FCC requests comment on a number of questions related to the Pilot Program budget, funding, and awards:

  • Should the FCC establish a maximum funding cap per Pilot Program participant?

  • Should the FCC establish a per-student cap, and a corresponding cap on libraries based on their square footage, based on commercially available costs?

  • Should participants be required to contribute and be responsible for a portion of their project costs in order to receive program funding?

  • Should the FCC disburse a smaller amount of funding to a larger number of Pilot participants to increase the total volume of cybersecurity data available?

  • Should the FCC disburse a larger amount of funding to fewer Pilot participants to obtain a more holistic look at how the support could best be used to protect E-Rate-funded broadband networks and data, as well as help K-12 schools and libraries address cybersecurity issues?

  • Should participants be permitted to seek funding for services and equipment to be provided over the proposed three-year term in a single application and be supported by multi-year contracts and agreements for this term?

Pilot Program Duration:  The FCC propose that the Pilot Program will make funding available to participants for a three-year term.[6]

Pilot Program Structure:  The proposed program will be structured similar to the Connected Care Pilot Program.[7] After submitting an application, selected schools and libraries will be provided an opportunity to apply for funding for eligible services and equipment. Participants will then receive a funding commitment to acquire equipment or services, and submit invoices for reimbursement. The Universal Service Administrative Company (USAC) will be appointed as the permanent administrator of the program.

Pilot Program Goals:  (1) improving the security and protection of E-Rate-funded broadband networks and data; (2) measuring the costs associated with cybersecurity and advanced firewall services, and the amount of funding needed to adequately meet the demand for these services if extended to all E-Rate participants; and (3) evaluating how to leverage other federal K-12 cybersecurity tools and resources to help schools and libraries effectively address their cybersecurity needs.[8]

Pilot Program Participant Reporting:  The FCC proposes that Pilot Program participants submit certain information to apply for the Pilot, a progress report for each year of the pilot, and a final report at the conclusion of the program.[9] The FCC proposes participants’ reports contain information on how funding was used, any changes or advancements that were made to the school’s or library’s cybersecurity efforts outside of the Pilot-funded services and equipment, and the number of cyber incidents that occurred each year of the Pilot Program and whether the school or library was successful in defending its broadband network and data for each incident.

Pilot Program Applications:  To participate, schools and libraries will be required to submit an application describing how they will use program funds, if selected.[10] At a minimum, the FCC proposes that Pilot Program applicants must provide the following information in their applications:

  1. Name, address, and contact information for the interested school or library. For school district or library system applicants, the name and address of all schools/libraries within the district/system, and contact information for the district or library system.

  2. Description of the Pilot participant’s current cybersecurity posture, including how the school or library is currently managing and addressing its current cybersecurity risks through prevention and mitigation tactics, and a description of its proposed advanced cybersecurity action plan should it be selected to participate in the Pilot program and receive funding.

  3. Description of any incident of unauthorized operational access to the Pilot participant’s systems or equipment within a year of the date of its application; the date range of the incident; a description of the unauthorized access; the impact to the K-12 school or library; a description of the vulnerabilities exploited and the techniques used to access the system; and identifying information for each actor responsible for the incident, if known.

  4. Description of the Pilot participant’s proposed use of the funding to protect its broadband network and data and improve its ability to address K-12 cyber concerns. This description should include the types of services and equipment the participant plans to purchase and the plan for implementing and using the Pilot-funded equipment and services to protect its broadband network and data, and improve its ability to manage and address its cybersecurity risks.

  5. Description of how the Pilot participant plans to collect and track its progress in implementing the Pilot-funded equipment and services into its cybersecurity action plan, and for providing the required Pilot data, including the impact the funding had on its initial cybersecurity action plan that pre-dated implementation of Pilot efforts.

Eligibility & Selection Of Pilot Program Participants:  The FCC is seeking comment on various questions to help it determine who should be selected to participate in the Pilot Program.[11]

  • Who should be eligible to participate in the Pilot Program and how should the FCC select Pilot participants?

  • How can the FCC ensure that it identifies a wide cross-section of Pilot Program participants to allow it to evaluate the effectiveness of providing universal service support for K-12 schools’ and libraries’ cybersecurity needs, and do so in a fair and transparent manner?

  • Should the FCC limit program eligibility to schools and libraries currently participating in the E-Rate program?

  • Should the FCC expand Pilot Program eligibility to include schools and libraries that do not currently participate in the E-Rate program?

  • Should the FCC select Pilot Program participants based on specific objective factors like: E-Rate category two discount rate levels; location (e.g., urban vs. rural); and/or participant size (i.e., small schools, school districts, and libraries vs. large schools, school districts, and libraries)? How should the FCC define, or what sources should the FCC use to define, these factors to ensure they are applied objectively? Are any of these factors (i.e., discount rate level, urban vs. rural, large vs. small) more or less important than others from an eligibility perspective? If yes, why are particular factors more or less important than others?

  • Should the FCC limit schools’ and libraries’ eligibility to participate in the Pilot Program to those schools and libraries that have faced or are facing certain types of cyber threats or attacks?

  • Should the FCC adopt any prerequisites for Pilot Program participation? For example, should Pilot Program participants be required to take a more active role in improving/enhancing their cybersecurity posture? If so, how should this be monitored and enforced? For example, should Pilot Program participants be required to correct known security flaws and conduct routine backups as part of the program? Should Pilot Program participants be required to participate in other federal efforts to share cybersecurity information and resources, such as the MS-ISAC or the K12 SIX?

Pilot Program Eligible Services, Equipment, & Security Measures: The FCC is seeking comment on the security measures, including equipment and services, that should be made eligible for funding to participants in the Pilot Program.[12]

  • Should the FCC specify eligibility in terms of general criteria rather than as a list of specific technologies. If so, what should the eligibility criteria be?

  • Should eligibility be limited to cybersecurity measures that are primarily or significantly used to facilitate connectivity? How does Section 254 of the Communications Act limit the kinds of cybersecurity solutions that can be purchased, and how they may be deployed, using pilot funds?

  • Should the FCC place restrictions on the manner or timing of a Pilot Program participant’s purchase of security measures. For example, should Pilot Program funding be limited to a participant’s one-time purchase of security measures or should the support cover the on-going, recurring costs that a participant may incur, for example, in the form of continual service contracts or recurring updates to the procured security measures?

  • If the FCC adopts a list of eligible measures or technologies, at what granularity should that list be specified? For example, should the FCC publish a specific list of security measures (similar to the Eligible Services List for the E-Rate program), to help participants understand which services and equipment are eligible for support through the proposed Pilot program?

  • Are advanced and next-generation firewalls the most important tools schools and libraries could adopt and how does the import of these cybersecurity tools compare to other tools previously identified in the record? For example, CISA and the DOE have identified things like MFA, regular software and hardware updates, and regular backups as important tools for combatting network threats. Do commenters continue to believe that focusing funding efforts primarily or exclusively on advanced and next-generation firewalls is appropriate in the context of today’s proposed Pilot Program, which would utilize separate USF funding and aims to evaluate the effectiveness of a wide range of security approaches?

  • If the list of eligible security measures should be more expansive than advanced firewalls in the context of today’s Pilot Program, which other measures should be included? For example, should the FCC determine eligible measures based on the recommendations from the CISA K-12 Cybersecurity Report, the DOE K-12 Digital Infrastructure Briefs, and/or other federal partner resources and guides. If so, how?

  • If the FCC were to make advanced firewall services eligible, how should “advanced firewall” be defined for the purposes of the proposed Pilot Program?

  • The FCC proposes to limit Pilot Program funding eligibility to equipment that is network-based (i.e., that excludes end-user devices, including, for example, tablets, smartphones, and laptops) and services that are network-based and/or locally installed on end-user devices, where the devices are owned or leased by the school or library. To be eligible for the Pilot, the FCC further proposes that the equipment or services be designed to identify and/or remediate threats that could otherwise directly impair or disrupt a school’s or library’s network, including to threats from users accessing the network remotely.

Pilot Program Rules, Forms, & Processes:  The FCC proposes that Pilot Program participants comply with new rules that largely reflect and mirror the FCC’s existing E-Rate rules, including by requiring competitive bidding, prohibiting gifts, and requiring that a participant pay its non-discounted portion of the costs of the supported services.[13] The proposed Pilot Program rules are attached to the NPRM as Appendix A.

**********

[1] Schools and Libraries Cybersecurity Pilot Program, WC Docket No. 23-234, Notice Of Proposed Rulemaking, FCC 23-92 (Nov. 13, 2023) (NPRM), https://docs.fcc.gov/public/attachments/FCC-23-92A1.pdf.

[2] NPRM at ¶ 3. The purpose of the Pilot Program is two-fold: it will allow FCC to “obtain valuable data concerning the cybersecurity and advanced firewall services that would best help K-12 schools and libraries address the growing cyber threats and attacks against their broadband networks and data”; and it will help the FCC “better understand the most effective way USF support could be used to help schools and libraries address these significant [cybersecurity] concerns while promoting the E-Rate program’s longstanding goal of promoting basic connectivity.” Id. At ¶ 2.

[3] NPRM at ¶ 6.

[4] NPRM at ¶ 12.

[5] NPRM at ¶ 29.

[6] NPRM at ¶ 28.

[7] NPRM at ¶ 26.

[8] NPRM at ¶¶ 19-23.

[9] NPRM at ¶ 24.

[10] NPRM at ¶ 27.

[11] NPRM at ¶¶ 34-38.

[12] NPRM at ¶¶ 39-46.

[13] NPRM at ¶¶ 47-51.