The deadline for initial comments to the Federal Communications Commission’s Notice of Proposed Rulemaking for the creation of a cybersecurity pilot program for K-12 schools and public libraries passed on January 29, 2023. In total, the Commission received almost 40 comments and ex parte meeting summaries regarding the pilot proposal. Commenters unanimously agreed that the FCC should move forward with the pilot, citing the urgent and critical need for advanced cybersecurity protections in our nation’s schools. Common themes emerging from multiple commenters include:
Shorten the duration
The most common area of agreement among commenters was that the FCC’s proposed three-year pilot timeframe is too long. Commenters cited the need to expedite the pilot so that permanent E-rate rule changes (or a permanent cybersecurity program) for all applicants could happen sooner.
More funding
A number of comments suggested that the proposed funding level of $200 million might not be enough to fund the number of projects required to perform an accurate data analysis. Suggested funding levels for the pilot varied (Funds For Learning suggested $312 million.)
Broad definition of eligible services
Several commenters suggested that the FCC refrain from implementing a specific list of products, services, or technologies as eligible for pilot program support, instead advocating for a broader (or categorical) eligible services framework which would allow for a variety of solutions to be funded and studied.
Tracking success
A few commenters proposed that the FCC measure the success of the pilot program by requiring applicants to commit to a specific cybersecurity posture or framework, reporting the effect the pilot funds would have on their progress toward full implementation of that initiative. Commenters argue that this method of tracking the program’s success would be more objective given the uncertain nature of cyber attacks on schools and libraries.
Privacy concerns
Several commenters urged the FCC to carefully consider the information collected via the Form 484 application to participate in the pilot, as well as what information is made publicly available. Commenters cautioned that public disclosure of applicants’ cybersecurity posture and current systems could show vulnerabilities or attack vectors that were previously undisclosed.
Reply comments to the cybersecurity NPRM are due February 27, 2024. Comments and reply comments submitted to the FCC may be viewed here.