On May 16, 2024, the Federal Communications Commission announced a tentative agenda for their June 6 open meeting. The agenda includes a vote on establishing a “Schools and Libraries Cybersecurity Pilot Program” intended to “help the Commission evaluate the use of the [Universal Service Fund] to support [cybersecurity] services and equipment.” The open meeting agenda includes a draft Report and Order which, if approved, will contain the pilot program’s official rules and regulations. Highlights from the draft Report and Order include:
Pilot funding and duration: the pilot will be a three-year program funded with up to $200 million. Although the FCC recognized that many commenters to the cybersecurity pilot NPRM advocated for a shorter duration, they assert that “it is imperative to carefully consider the potential benefits – and burdens – before deciding whether to move forward with [cybersecurity] funding on a wider scale or permanent basis.” The Order specifies a $200 million funding cap, which will come from “unused E-rate funds from prior funding years” to “minimize the impact on the contribution factor.”
Funding caps and prioritization: pilot program participants will be subject to a pre-discount “budget” similar to the current Category Two budget system used in the E-rate program. School applicants’ budget will be set at $13.60 per student, an amount resulting from a 2021 cybersecurity cost analysis performed by the Consortium for School Networking and Funds For Learning. Library applicants will receive a budget of $15,000 per library location. All applicants will be subject to a $15,000 budget minimum (for schools with fewer than 1,100 students) and a $1.5 million budget maximum (for schools with more than 110,000 students).
Should requests for pilot funds exceed the available $200 million funding cap, applications will be prioritized by Category One E-rate discount rates, starting with 90% applicants and working downward until no funds remain. If there is insufficient funding for all requests at a specific discount rate, the administrators will “allocate the remaining support on a pro rata basis over that single discount percentage level.”
Eligible services: the Order adopts a “flexible approach” in establishing its Eligible Services List, deeming “services and/or equipment eligible if they ‘constitute a protection designed to improve or enhance the cybersecurity of a K-12 schools, library or consortia.’” The Pilot Eligible Services List, or P-ESL, “enumerates as eligible, in a non-limiting manner, four general categories of technology” for pilot-eligible products and services. Those categories are:
- Advanced and Next-Generation Firewalls
- Endpoint Protection
- Identity Protection and Authentication
- Monitoring, Detection, and Response
In each category, the P-ESL provides multiple examples of specific technologies which (along with their “substantially similar features or their equivalents” will be considered eligible for pilot funds. The P-ESL specifically excludes basic firewall products and services which are already eligible for E-rate program discounts.
Applying to participate: in response to comments expressing concern about the sensitive nature of cybersecurity posture and attack information requested as a part of the application process, the FCC has divided its participation application (FCC Form 484) into two parts. Part one of the application “will collect a more general level of cybersecurity information about the applicant and its proposed Pilot project, and will use pre-populated data where possible, as well as several “yes/no” questions and questions with a predetermined set of responses.” If selected to participate, an applicant will then be required to complete part two of the application, which will collect more detailed information about the applicant’s current cybersecurity posture, training, and policies and history of cyber threats.
Application process modeled after E-rate: if selected, participants will undergo an application process that is very similar to the current E-rate process. This includes competitive bidding via FCC Form 470, requesting discounts via FCC Form 471, and invoicing via BEARs or SPIs (FCC Forms 472 or 474.) Pilot participants will be subject to the Children’s Internet Protection Act (CIPA) requirements, and the Universal Service Administrative Company (USAC) has been chosen as the administrator for the pilot program and will process applications and payments. The pilot program also employs E-rate-like integrity protections, such as document retention requirements, gift rules, regulatory certifications, and audits.
View the FCC’s draft Report and Order here.
