Schools and Libraries Cybersecurity Pilot Program, 61282-61323 [2024-15866]

Download as PDF 61282 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations FEDERAL COMMUNICATIONS COMMISSION 47 CFR Part 54 [WC Docket No. 23–234; FCC 24–63; FRS ID 230286] Schools and Libraries Cybersecurity Pilot Program Federal Communications Commission. ACTION: Final rule. AGENCY: In this document, the Federal Communications Commission (Commission or FCC) stablishes the Schools and Libraries Cybersecurity Pilot Program (Pilot or Pilot Program). The Pilot Program will enable the Commission to evaluate the impact that using Universal Service Fund (USF or Fund) support for eligible cybersecurity services and equipment will have on protecting school and library broadband networks and data. In so doing, the Commission seeks to address the apparent needs of schools and libraries for additional support for cybersecurity services and equipment, while evaluating the impact that providing that support would have on the USF. DATES: Effective August 29, 2024, except for amendatory instruction 3 (adding §§ 54.2004, 54.2005, and 54.2006) and amendatory instruction 4 (adding § 54.2008), which are delayed indefinitely. The Commission will publish a document in the Federal Register announcing the effective date for those sections. FOR FURTHER INFORMATION CONTACT: Kristin Berkland Kristin.Berkland@ fcc.gov in the Telecommunications Access Policy Division, Wireline Competition Bureau, 202–418–7400 or TTY: 202–418–0484. Requests for accommodations should be made as soon as possible in order to allow the agency to satisfy such requests whenever possible. Send an email to fcc504@fcc.gov or call the Consumer and Governmental Affairs Bureau at (202) 418–0530. SUPPLEMENTARY INFORMATION: This is a synopsis of the Commission’s Schools and Libraries Cybersecurity Pilot Program, Report and Order (Order), in WC Docket No. 23–234; FCC 24–63, adopted June 6, 2024, and released June 11, 2024. The full text of this document is available at the following internet address: https://www.fcc.gov/document/ fcc-adopts-200m-cybersecurity-pilotprogram-schools-libraries-0. khammond on DSKJM1Z7X2PROD with RULES3 SUMMARY: I. Introduction 1. As broadband connectivity and internet access have become essential VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 for K–12 students and adults alike, the security and safety of that access has likewise become paramount. Whether for online learning, job searching, or connecting with peers and the community, high-speed broadband is critical to educational, professional, and personal success in the modern world. Although broadband connectivity and internet access can simplify and enhance the education and daily lives of K–12 students, school staff, and library patrons, they can also be used by malicious actors to steal personal information, compromise online accounts, and cause online personal harm or embarrassment. In response to the growing importance of cybersecurity to broadband connectivity and internet access for K–12 schools and libraries, and in light of the increase in cyberattacks to disrupt or disable these critical networks, the Commission adopts a three-year pilot program within the USF to provide up to $200 million to support cybersecurity services and equipment for eligible schools and libraries. 2. The Pilot Program is a critical next step to evaluate whether, and to what extent, the Commission should leverage the USF to support the cybersecurity needs of schools and libraries. By proceeding via a short-term Pilot Program, the Commission can gather key data on the types of cybersecurity services and equipment that K–12 schools and libraries need to protect their broadband networks and securely connect students, school staff, and library patrons to advanced communications that are integral to education. The Pilot Program will evaluate whether supporting cybersecurity services and equipment with universal service funds advances the key universal service principles of providing quality internet and broadband services to K–12 schools and libraries at just, reasonable, and affordable rates; and ensuring schools’ and libraries’ access to advanced telecommunications. Importantly, the Pilot Program will also enable the Commission to better estimate the costs of supporting cybersecurity services and equipment via the USF, which will help inform future decisions on how to best utilize the USF to support the connectivity and network security needs of K–12 schools and libraries. Data and information collected through this Pilot Program may also aid in the considerations of broader efforts across the government to help schools and libraries address their cybersecurity concerns. In this regard, the Commission notes that other Federal PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Education (Education Department), have jurisdiction and deep expertise on cybersecurity matters, and the Commission expects continued interagency coordination will enable us to leverage their knowledge and resources to explore how the Commission can contribute to addressing the cybersecurity needs of K–12 schools and libraries. 3. Eligible schools and libraries will be able to request and receive support through the Pilot Program to purchase a wide range of qualifying cybersecurity services and equipment that best suit their particular needs. To ensure that the Commission is able to select a large number of participants for the Pilot Program, it adopts per-student and perlibrary budgets, subject to a minimum funding floor, as well as an overall funding cap. Additionally, the Commission expects to select a diverse cross-section of schools, libraries, and consortia to participate in the Pilot Program, with a focus on selecting applicants with the greatest need. By selecting a participant pool that reflects large, small, urban, rural, and Tribal schools and libraries, the Commission expects to gain a better understanding about the cybersecurity needs of a wide range of schools and libraries. 4. In adopting this Pilot Program, the Commission is also mindful of the ERate program’s longstanding goal of promoting connectivity, as well as its obligation to be a mindful and prudent steward of the Commission’s limited universal service funds. To that end, the Commission must balance its actions in this proceeding against competing priorities, bearing in mind that the universal service funds are obtained through assessments collected from telecommunications carriers that are typically passed on to and paid for by U.S. consumers. The Commission acknowledges that, as a limited-term Pilot Program, only a subset of K–12 schools and libraries will likely be selected and receive support to defray their cybersecurity-related costs. And, with a $200 million budget, the Pilot Program will not be able to fund all of the cybersecurity-related needs of the selected Pilot participants. The Commission notes that the estimated costs for all types of cybersecurity services may exceed the funding available for this Pilot Program, and it further notes that the Pilot participants will not receive 100% reimbursement, as they will be required to pay their non-discount share of the costs of the E:\FR\FM\30JYR3.SGM 30JYR3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 eligible services and equipment. Within this framework, the Commission finds that the Pilot Program will serve a vital role in informing the Commission, and the broader Federal Government, as to the most pressing cybersecurity needs of K–12 schools and libraries, and the associated costs, which will enable the Commission and other stakeholders to best address these needs on a long-term basis. II. Discussion 5. In the Order, the Commission establishes a three-year Pilot Program to evaluate whether supporting cybersecurity services and equipment with universal service support could advance the key universal service principles of providing quality internet access and broadband services to K–12 schools and libraries at just, reasonable, and affordable rates; and ensuring schools’ and libraries’ access to advanced telecommunications as provided by Congress in the Telecommunications Act of 1996 (1996 Act). Specifically, the Commission first adopts a three-year Pilot timeframe and $200 million cap to support cybersecurity services and equipment, including advanced firewalls, for eligible schools and libraries, and consortia of eligible schools and libraries, using the Connected Care Pilot Program as a model. Second, the Commission establishes per-student and per-library budgets to specify the amount of funding that Pilot participants can receive and ensure funding can be widely disbursed. Next, the Commission confirms that all eligible schools and libraries, including those that do not currently participate in the E-Rate program, are eligible to apply to participate in the Pilot Program. The Commission then adopts a Pilot eligible services list that specifies the cybersecurity services and equipment that will be eligible for Pilot funding, and an application process that mirrors the E-Rate program and through which it can select a broad pool of participants. In addition, the Commission establishes Pilot Program rules and procedures for all phases of the Pilot, including competitive bidding, requesting funding, and invoicing/reimbursement. These Pilot rules and procedures draw on its experience administering the ERate and Emergency Connectivity Fund (ECF) programs and will promote efficient program administration and reduce burdens on Pilot participants. The Commission also appoints an Administrator of the Pilot and adopt program integrity protections, including document retention and production, gift, certification, audit, and suspension VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 and debarment rules, consistent with its responsibility to be a careful steward of the limited USF dollars. The Commission then adopts Pilot performance goals and data reporting requirements to help us assess the costs and benefits of using the limited universal service funds to support the cybersecurity needs of K–12 schools and libraries, and establish appeal and waiver request rules to provide recourse for parties aggrieved by decisions of the Pilot Program Administrator. Lastly, the Commission concludes that the Commission has legal authority to establish a Pilot Program that provides USF support for cybersecurity services and equipment to eligible schools and libraries and that the requirements of the Children’s internet Protection Act (CIPA) are triggered by the purchase of eligible services or equipment through the Pilot. 6. Pilot Program Timeframe. The Commission first adopts a Pilot Program duration of three years. In the Cybersecurity Notice of Proposed Rulemaking (NPRM), 88 FR 90141, December 29, 2023, the Commission sought comment on its proposed threeyear term for the Pilot Program. The Commission sought comment specifically to understand whether (i) the proposed length of the program would be sufficient to provide the Commission with data to evaluate how effective the Pilot funding is in protecting K–12 schools and libraries, and their broadband networks and data, from cybersecurity threats and attacks; (ii) if it would be feasible to shorten the Pilot without compromising the integrity of the data collected; and (iii) if it should provide additional time for participants to prepare for the Pilot or for the Commission to evaluate the data at the conclusion of the Pilot. 7. While several commenters support the proposed Pilot duration of three years, many advocated for a shortened Pilot duration of either one year or eighteen months. Commenters supporting a shorter Pilot timeframe offered four main reasons for doing so. First, commenters argued that a threeyear Pilot would render the data collected on cybersecurity services and equipment used to combat cybersecurity threats and attacks obsolete by the conclusion of the Pilot Program. Second, commenters advocated that a shorter program would allow the Commission to evaluate Pilot data in time to align with the next E-Rate category two budget cycle (i.e., funding years (FY) 2026 through FY 2030). Third, commenters argued for a shorter duration on the grounds that applicants who were not selected to participate in PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 61283 the Pilot would be required to wait over three years to potentially receive funding to combat cybersecurity threats and attacks. Finally, commenters recommended a shorter Pilot term or, alternatively, a higher cap, in order to increase the number and diversity of participants. 8. A three-year Pilot Program will give the Commission the time to evaluate whether universal service support should be used to fund cybersecurity services and equipment on a permanent basis and the Commission adopts a program duration of three years for the Pilot. In establishing the Connected Care Pilot Program, the Commission concluded that a three-year pilot program was ‘‘reasonable and [would] allow the Commission to obtain sufficient, meaningful data from the selected pilot projects’’ and the Commission finds the same reasoning applies here. As a responsible steward of the limited USF, the Commission is obliged to carefully evaluate any actions that would expand demands on the Fund. This is particularly important where, as here, the Commission is exploring whether to make funding available to support services and equipment not previously covered, and where other resources may be available. Given record estimates regarding what it could cost to fund a complete suite of cybersecurity services and equipment, the Commission thinks it is imperative to carefully consider the potential benefits—and burdens—before deciding whether to move forward with such funding on a wider scale or permanent basis. The Commission believes that a three-year term will enable us to gather the necessary information. 9. The Commission recognizes there is a tradeoff between learning more from the Pilot and moving quickly to potentially expand support to protect K–12 schools’ and libraries’ broadband networks and data from cybersecurity threats and attacks. While some commenters suggested setting a one-year to eighteen-month term, in part to align with the next category two budget cycle, the Commission declines to do so. A shorter term would hamper the Commission’s ability to evaluate the use of universal service funds to fund cybersecurity equipment and services, particularly given the expected lead time for schools and libraries to implement a cybersecurity solution and unknowns around the evolving threat of potential cybersecurity attacks. Moreover, the Commission notes that it would be challenging to align the conclusion of the Pilot with the next category two budget cycle in any event, given the time needed to evaluate E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61284 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations lessons learned from the Pilot and the proceedings needed to implement any permanent funding stream for cybersecurity services and equipment. Additionally, the Commission disagrees with commenters that a three-year term would render any potential solutions or analysis obsolete. Given the flexibility the Commission provides to Pilot participants to select and modify the cybersecurity services and equipment they choose over the three-year period, the Commission expects that participants will be able to quickly adapt to changes in cybersecurity threats or attacks, or the availability of new cybersecurity solutions. Additionally, given the reporting requirements adopted herein, the Commission expects to keep pace with lessons learned from the Pilot as data is provided which, in turn, will help facilitate its analysis and determination of next steps. Finally, the Commission disagrees with commenters who suggest it shorten the Pilot term or allocate additional funding in order to fund a greater or wider array of participants. The Commission believes the $200 million cap will allow it to provide sufficient support to a wide crosssection of Pilot participants; thus, the benefits to retaining the proposed threeyear time frame are greater than the benefits of a shorter duration. 10. Pilot Program Cap. The Commission also adopts a Pilot Program funding cap of $200 million over three years for the Pilot Program. In the Cybersecurity NPRM, the Commission sought comment on whether (i) a cap of $200 million would be sufficient to obtain meaningful data about how this funding would help to protect schools’ and libraries’ broadband networks and data and improve their ability to address K–12 cyber risks; (ii) if a lower cap would be sufficient for these purposes (e.g., $100 million); and (iii) how the total Pilot Program cap should be distributed over the three-year funding period in a way that accounts for participants’ spending needs while ensuring predictable funding over the three-year term. 11. Several commenters agree that the proposed $200 million funding cap is sufficient to fund a wide range of Pilot participants over a three-year period. Others suggested a higher amount in order to provide funding to a larger number of Pilot participants. Having reviewed the record in its entirety, the Commission adopts the proposed $200 million funding cap for the Pilot Program. For its goal of obtaining meaningful information on how this Pilot could help protect schools’ and libraries’ broadband networks and data, VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 and improve their ability to address K– 12 schools’ and libraries’ cybersecurity risks, as discussed in the Order, the Commission believes the proposed cap of $200 million over three years will be sufficient. 12. To provide funding for the Pilot, and to minimize the impact on the contribution factor, the Commission will assign unused E-Rate funds from prior funding years to cover the full $200 million cap. In 2023, the Wireline Competition Bureau (Bureau) found that unused funds from prior funding years were available for use in funding year 2023 and directed the USF Administrator, the Universal Service Administrative Company (USAC), to fully fund year 2023 demand, and to reserve an additional $190 million of carry forward funds for future use. Similarly, in 2024, the Bureau directed USAC to reserve $10 million of the available $500 million of carry forward funds for future use. With the Order, the Commission assigns that $200 million of carry forward funding to offset the collection requirements for the Pilot, thereby reducing any potential increase on the contribution factor. In the Cybersecurity NPRM, the Commission sought comment on other approaches that could be used to fund the Pilot, aside from directing USAC to separately collect the needed funds. No commenter addressed these approaches. Making use of carry forward funding in this way is consistent with its responsibility to be a careful steward of the USF, while at the same time allowing the Commission to respond to the need for additional cybersecurity funding for K–12 schools and libraries. This approach is consistent with how the E-Rate and other USF programs are administered. 13. The Commission next adopts fixed per-student and per-library budgets to determine the amount of funding that participants may receive during the Pilot. In the Cybersecurity NPRM, the Commission sought comment on how to evaluate funding requests and whether to establish a maximum amount of funding that an individual participant could receive. Among other things, the Commission sought comment on whether providing a larger amount of funding to a smaller number of participants, or a smaller amount of funding to a greater number of participants, would best enable us to assess the use of the USF for cybersecurity services and equipment. In particular, the Commission sought comment on whether it should establish a per-student budget, with a corresponding budget for libraries, as well as the data sources and cost information that would be appropriate PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 to use in evaluating funding requests. Additionally, the Commission sought comment on whether it should require Pilot participants to contribute a portion of the eligible costs of cybersecurity services and equipment in order to receive funding. The Commission further proposed to apply a participant’s category two discount rate to calculate the non-discounted share of costs for the Pilot Program, but also sought comment on requiring participants to instead contribute a fixed percentage of the costs of the cybersecurity services and equipment purchased. Finally, the Commission sought comment on whether a participant should receive its funding commitment in equal installments, or whether there may be reasons why a Pilot participant may need access to a greater amount earlier during the three-year term. 14. A 2021 cost study submitted jointly by Funds For Learning, LLC (FFL), the Consortium for School Networking (CoSN), and others estimated it would cost approximately $13.60 per student annually to support advanced or next-generation firewall services, $16.20 per student annually to support endpoint security and protection, and $14.50 per student annually to support additional, advanced cybersecurity services and equipment. Rubrik, Inc. (Rubrik), in its comments, stated it would be reasonable to establish a funding maximum for individual entities of $1 million to $2 million. Based on its review of the cost estimates submitted by commenters, and consistent with its goal to provide funding to a wide variety of participants, as discussed in the Order, the Commission adopts fixed budgets to determine the amount of funding that a Pilot participant can receive. While these budgets, including associated maximums and floors, are specified in terms of annualized dollar amounts, participants’ expenses are capped based on the full three-year duration of the Pilot and not on an annual basis. Thus, Pilot participants may request reimbursement for expenses as they are incurred even if it means that the amount of funding disbursed to a participant in a given year of the program exceeds their annual budget, so long as the total amount disbursed to a participant over the three-year term does not exceed three times that annual budget. In establishing these budgets, which account for the estimated costs of different types of advanced cybersecurity solutions, the Commission expects to provide a meaningful benefit to a substantial number of schools, libraries, and consortia. In E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations implementing this approach, the Commission declines to award support based on a percentage of a participant’s category one or category two budget, as suggested by some commenters. The Commission finds that a more tailored approach, grounded in the estimated cost of implementing specific types of cybersecurity solutions, would best achieve its goals in a targeted and costeffective manner. Furthermore, the Commission notes that because it does not limit Pilot participation to current ERate applicants, it would be difficult to implement an approach based on category one or category two budgets. When implementing these budgets, the Commission will categorize Pilot applicants and consider their funding needs in combination with their applicant type, as discussed in greater detail below. 15. Schools and School Districts. Schools and school districts will be eligible to receive up to $13.60 per student, annually, on a pre-discount basis, to purchase eligible cybersecurity services and equipment over the threeyear Pilot duration. The Commission finds that a pre-discount annual budget of $13.60 per student strikes an appropriate balance between supporting the various types of cybersecurity services and equipment needed to protect school networks and data, and its desire to provide funding to as many schools and school districts as possible in the limited-term Pilot Program. Additionally, the Commission notes that this per-student annual budget is sufficient to support the majority of the total annual costs related to any one of the three types of security measures FFL and CoSN identified in their cost estimate, and is also consistent with the Commission’s analysis in the First 2014 E-Rate Order, 80 FR 167, January 5, 2015, that established per-student budgets for category two equipment and services. 16. The Commission recognizes that for many schools a pre-discount annual budget of $13.60 will not, by itself, be sufficient to fund all of the school’s cybersecurity needs to achieve a fully mature cybersecurity posture, as doing so would typically require a school to implement multiple categories of technical solutions, often in a specific priority order. Given the limited Pilot funding available, its approach instead ensures that each participating school will receive funding to prioritize implementation of solutions within one major technological category requested by commenters, enabling the school to make meaningful progress toward its own cybersecurity goals and providing flexibility for schools with differing VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 cybersecurity strengths and vulnerabilities. The Commission finds that this approach ensures that each participant can make meaningful, incremental progress towards its own cybersecurity goals, and best positions the Commission to assess the benefits that accrue from funding individual cybersecurity solutions, consistent with a core objective of the Pilot. The Commission also finds that this approach represents a strategic and costeffective way to spend the limited Pilot funds in the context of considering future changes to the E-Rate program, as it creates incentives for each school to select the most impactful incremental solutions available to it in view of the school’s specific cybersecurity vulnerabilities and strengths. 17. Schools and school districts selected for the Pilot Program will be eligible to receive, at a minimum, $15,000 in annual support, on a prediscount basis, over the three-year Pilot duration. The Commission establishes this funding floor to ensure that even the smallest schools and school districts can receive support sufficient to purchase a variety of cybersecurity services and equipment. The Commission sets the annual funding floor at $15,000, pre-discount, because it aligns with the annual cost estimate submitted by FFL and CoSN, which found that that the approximate per-site annual cost for advanced firewalls is $15,994. The Commission notes that a pre-discount $13.60 per-student budget equates to approximately 1,100 students in a school or school district receiving $15,000 in support. As a result, schools and school districts with 1,100 students or fewer will be eligible to receive the pre-discount $15,000 annual funding floor. The Commission also establishes an annual budget maximum of $1.5 million, pre-discount, which equates to approximately 110,000 students, using the pre-discount $13.60 per-student budget. As a result, schools and school districts with more than 1,100 students, and up to approximately 110,000 students, will calculate their budget using the pre-discount $13.60 perstudent multiplier. Schools and school districts with more than 110,000 students will be subject to the annual budget maximum of $1.5 million, over the three-year Pilot duration. The Commission finds that a $1.5 million annual maximum reflects the greater purchasing power of larger schools, school districts, and consortia, and the associated reduction in the cost-perstudent amount. Additionally, the Commission establishes the annual budget maximum to best ensure that PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 61285 Pilot funds are able to support cybersecurity services and equipment for as many participants as possible, and also to ensure that a disproportionate amount of funding is not awarded to any one participant. 18. Libraries and Library Systems. Rather than adopt a per-user budget, as the Commission has for schools and school districts, or a budget based on library square footage as it does for category two E-Rate funding requests, it adopts a budget that provides a set amount of funding per library to purchase cybersecurity services and equipment. In particular, the Commission establishes a pre-discount annual budget of $15,000 per library up to 11 libraries/sites, consistent with its analysis regarding the per-site funding amount needed to support advanced firewalls. Library systems with more than 11 libraries/sites will be eligible for support up to $175,000 annually, prediscount, which approximately reflects the cost of providing advanced firewalls to an entity with between 10 and 24 locations. The Commission believes using a per-site methodology and funding caps for calculating library budgets is more appropriate than using library square footage, as it does for ERate category two funding requests, because costs for cybersecurity services and equipment do not scale with square footage in the same way as they do for building internal Wi-Fi networks. The Commission also finds that the prediscount budgets established for libraries and library systems are generally consistent with how funding is allocated in the E-Rate program to cover the majority of the cost of supported services and equipment, and strike a balance between funding a baseline amount needed to procure cybersecurity services and equipment, and ensuring that the Pilot Program is able to support as many participants as possible. 19. Consortia. Consortia participants comprised of eligible schools and libraries will be eligible to receive funding based on student count (using the annual pre-discount $13.60 per student multiplier and $1.5 million, prediscount, annual cap) and the number of library sites (using the pre-discount $15,000 per library annual budget up to 11 libraries/sites and the $175,000, prediscount, annual cap). Consortia that are solely comprised of schools will be subject to the pre-discount annual $1.5 million budget maximum applicable to schools. Consortia that are solely comprised of libraries will be subject to the pre-discount $175,000 annual budget maximum for library systems. Consortia comprised of both eligible E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61286 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations schools and libraries will be subject to the pre-discount $1.5 million annual budget maximum applicable to schools. The Commission finds these budget maximums are an important mechanism to ensure that Pilot funding is widely disbursed. The Commission will also require each consortium to select a consortium leader. 20. Non-discount Share of Costs. The Commission will require participants to contribute a portion of the costs of the cybersecurity services and equipment they seek to purchase with Pilot Program support, similar to the nondiscount share that E-Rate applicants are required to contribute to the cost of their eligible services and equipment. The Commission agrees with the Dallas Independent School District that requiring participants to contribute some portion of the costs of eligible services and equipment, as it has in ERate, will be ‘‘successful in aligning the interests of applicants to minimizing waste, fraud, and abuse.’’ In the Cybersecurity NPRM, the Commission proposed using a participant’s category two discount rate to determine the portion of costs a participant will be required to contribute. The Commission establishes in the Order, instead, that participants will use their category one discount rate to determine the nondiscount share of costs. Thus, participants with the students with the greatest need will be eligible for support for 90 percent of their costs, and will be required to contribute 10 percent of the cost of eligible cybersecurity services and equipment purchased with Pilot funds. By using the category one discount rate, the program’s neediest schools and libraries will have greater flexibility in selecting eligible services and equipment, thus supporting its goal to evaluate the benefits of supporting advanced firewalls and cybersecurity services using the USF. Furthermore, the category one discount rate is appropriate, as Pilot funds will be used to enhance the protection of the broadband networks, including those funded from the E-Rate program’s category one. The Commission finds that this approach is preferable to establishing a uniform contribution percentage like the one adopted for the Connected Care Pilot Program because it equitably accounts for the relative need of the participant. Moreover, most, if not all, Pilot applicants and participants— including large state or regional consortia—are already familiar with the use of discount rates in the E-Rate program. 21. Disbursement of Support. The Commission will permit Pilot participants to request reimbursement VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 as expenses are incurred, even if it means that a greater amount of funding is disbursed earlier in the three-year Pilot term than is specified by its annual budgets, so long as the overall disbursement to a participant over the course of the three-year Pilot term does not exceed three times the annual budget. In doing so, the Commission acknowledges that some participants may face greater up-front costs for the services and equipment needed to implement their cybersecurity plans, whereas others may have ongoing recurring costs, or some combination of both. The Commission agrees with Cisco that it should not adopt a ‘‘static’’ funding approach, as well as with Palo Alto Networks, Inc. that a flexible approach would ‘‘ensure a stronger runway for the deployment and configuration of eligible solutions and products under the Pilot.’’ However, the Commission declines to adopt the recommendation of Advanced Technology Academic Research Center Cybersecurity Higher Education and Workforce Development Working Group that it abandon its traditional reimbursement structure to provide ‘‘seed’’ money at the outset of the Pilot. The reimbursement process the Commission adopts here is consistent with the reimbursement processes used in the E-Rate and other universal service programs and, combined with the requirement that Pilot participants contribute some amount of their own money towards the cost of eligible services and equipment, serves as an important backstop for safeguarding the integrity of the Pilot Program. Moreover, while the Commission is mindful of the importance of establishing a predictable cap that minimizes the contribution burden on consumers, it expects that the limited nature of the Pilot cap relative to the overall size of the Fund, as well as its planned use of the reserved $200 million in carry forward funding, will minimize any burden to the overall Fund for any given quarter. 22. Pilot Benefits will Exceed Costs. The Commission expects the benefits of the Pilot Program to exceed the costs. As a threshold matter, the Commission notes that program participation by applicants, participants, and service providers is voluntary, and it expects that Pilot participants will carefully weigh the benefits, costs, and burdens of participation to ensure that the benefits outweigh their costs. The Pilot will also enable us to evaluate the estimated economic benefits of using universal service support for cybersecurity services and equipment, compared to its cost to the Fund. In this regard, the PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 Commission notes that, according to the Federal Bureau of Investigation’s internet Crime Complaint Center, the U.S. population, including U.S. territory residents, incurred an estimated $10.9 billion in losses from cybercrime in 2023. Based on a 2023 U.S. population of 335 million, this equates to a percapita loss of about $32.50 per person from cybercrime. The Pilot Program caps support at a pre-discount, annual level of $13.60 per student for most schools and school districts. If the Pilot can reduce the annual monetary cost of cyberattacks on participating K–12 schools by at least 42 percent, the expected economic benefits of increased cybersecurity would exceed the perstudent funding costs. The Commission expects that there may be additional benefits that cannot be easily quantified, such as a reduction in learning downtime caused by cyberattacks, reputational benefits from increased trust in school and library systems, increased digital and cybersecurity literacy among students and school staff, and the safeguarding of intellectual property. Despite these benefits, the Commission is also concerned about the overall cost to the Fund if it were to provide cybersecurity funding to all E-Rate participants, which CoSN estimates could cost the Fund $2.389 billion annually. This limited Pilot Program will therefore enable the Commission to evaluate the benefits of using universal service funding to fund cybersecurity services and equipment against the costs before deciding whether to support it on a permanent basis. 23. The Commission next make eligibility for participation in the Pilot Program open to all eligible schools and libraries, including those that do not currently participate in the E-Rate program. In the Cybersecurity NPRM, the Commission sought comment on the types of entities that should be eligible to participate in the Pilot Program. The Commission observed that a wide array of entities participate in the E-Rate program, and sought comment on how to ensure that the Pilot likewise has a diverse participant pool. Specifically, the Commission asked whether: (i) eligibility should be limited to schools and libraries currently participating in the E-Rate program; (ii) eligibility should be expanded to include schools and libraries that do not currently participate in the E-Rate program; or (iii) eligibility should include any entity that qualifies for funding through the E-Rate program. The Commission proposed to adopt the same definitions for schools and libraries as used in the E-Rate E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations program, when determining the eligibility of Pilot participants. 24. Commenters generally supported leveraging the E-Rate program rules to determine the types of entities that should be eligible to participate in the Pilot Program, with at least a few encouraging the Commission to limit eligibility to existing E-Rate applicants. For example, The Internet & Television Association (NCTA) argued that limiting eligibility to existing E-Rate participants was appropriate ‘‘since [Pilot] cybersecurity services will be integrated with the connectivity being purchased pursuant to the E-Rate program.’’ Several commenters urged the Commission to make consortia eligible, consistent with the E-Rate program. These commenters noted that consortia ‘‘can provide valuable services at scale,’’ which would allow the Commission to ‘‘stretch the limited proposed Pilot funding and increase the impact to more students and schools.’’ Others suggested that it expand eligibility to include local and other government entities and Educational Service Agencies (ESAs). 25. The Commission has determined that it will permit all eligible schools and libraries, including those that do not currently participate in the E-Rate program, to apply to participate in the Pilot. The Commission adopts the definitions of elementary school, secondary school, library, and library consortium contained in Final Rules section of the Order, which mirror the definitions that it uses for the E-Rate program. In taking these steps, the Commission declines to adopt suggestions from commenters that it limit Pilot eligibility to only those schools and libraries that currently participate in the E-Rate program. The Commission observes that all schools and libraries currently face increased cybersecurity threats and attacks regardless of whether they receive ERate funding and opening the Pilot Program to all eligible schools and libraries will allow us to gather data from the widest range of eligible participants. While the Commission appreciates the concern raised by NCTA and others that the Pilot should focus on protecting E-Rate-funded networks, it believes that, on balance, opening the Pilot Program to a wider pool of participants would best ensure that it has sufficient data to evaluate the impact of universal service support on the purchase of cybersecurity services and equipment both now and in the future. Given the large percentage of eligible schools that participate in the ERate program, the Commission anticipates that the overwhelming VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 majority of Pilot participants will also be E-Rate participants. 26. Consistent with the Commission E-Rate rules, it further clarifies that it will also permit eligible schools and libraries that apply as a consortium to participate in the Pilot Program. The Commission agrees with commenters that consortia have buying power that can help bring down costs and that including consortia in the Pilot would allow larger, better-resourced schools and libraries to partner with smaller, less technically savvy participants. Given the limited funding for the Pilot Program and the Commission’s objective to select as many participants as possible, it will allow a school or library to apply and participate only once in the Pilot Program, either individually or as part of a consortium. The Commission declines to extend eligibility to local and other governmental entities, including ESAs, or other entities that are not an eligible school or library as defined in § 54.2000 of the Commission’s rules adopted. However, non-eligible entities, including local, state, and Tribal governmental entities, and other not-forprofit organizations may serve as a consortium leader for a consortium participant in the Pilot, but as in the Rural Health Care, E-Rate, and Connected Care Pilot programs, will be ineligible to receive Pilot benefits, discounts, and funding, and therefore must pass through the benefits, discounts, and support to the eligible school and library consortium members. While the Commission recognizes that local governmental entities may provide economies of scale or cybersecurity expertise that would benefit schools and libraries, the E-Rate and Rural Health Care programs direct USF support to schools, libraries, and health care providers, pursuant to sections 254(c)(3) and 254(h) of the Communications Act of 1934, as amended (the Act). As its legal authority for the Pilot stems from the same source, the Commission declines to expand Pilot eligibility to include governmental and other entities that would be ineligible under the ERate or Rural Health Care programs; however, it recognizes the expertise and value of these entities by allowing them to serve as ineligible consortium leaders that pass through the benefits, discounts, and support from the Pilot Program to their eligible school and library consortium members. The Commission directs the Bureau and USAC to provide additional training and guidance on creating a Pilot consortium and serving as a consortium leader in the Pilot. The Commission also PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 61287 directs the Bureau and USAC to establish measures to prevent eligible schools and libraries from receiving duplicative Pilot support as individual Pilot participants and as Pilot consortium members. 27. The Commission adopts a Pilot Eligible Services List (P–ESL) which specifies eligible cybersecurity services and equipment for the Pilot. In the Cybersecurity NPRM, the Commission sought comment on the ‘‘equipment and services . . . that should be made eligible to participants in the Pilot’’ and on whether it should specify eligible services and equipment using ‘‘general criteria’’ or a ‘‘list of specific technologies.’’ Based on the record, the Commission adopts a flexible approach for the P–ESL as it deems services and/ or equipment eligible if they ‘‘constitute a protection designed to improve or enhance the cybersecurity of a K–12 school, library, or consortia.’’ At the same time, the Commission provides applicants with specificity and clarity in practical terms in the P–ESL, as it enumerates as eligible, in a non-limiting manner, four general categories of technology raised by commenters as effective in combatting cyber threats, namely, (i) advanced/next-generation firewalls; (ii) endpoint protection; (iii) identity protection and authentication; and (iv) monitoring, detection, and response. Moreover, for each of these categories, the Commission provides a non-exhaustive list of examples of eligible services and equipment in the P–ESL. Through the list of examples, the Commission confirms that the wide range of services and equipment it had proposed for inclusion in the Cybersecurity NPRM, or that commenters had otherwise requested, are eligible. The Commission designates the eligible services and equipment for the duration of the Pilot through the P– ESL. The Commission also delegates authority to the Bureau, as needed, to clarify and make technical changes to the P–ESL consistent with the standards it established herein, to promote efficient program administration and account for technological evolution. 28. The Commission agrees with commenters who opine that Pilot participants should have flexibility to determine which solutions best serve their needs by basing eligibility on broader considerations, rather than a specific and potentially rigid set of preauthorized components. Its approach is consistent with Rubrik’s view that it ‘‘provide general guidance for applicants, but not lock them into specific technology products.’’ Its approach also includes as eligible the advanced or next-generation firewalls, E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61288 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations endpoint security and protection, and other advanced security services and equipment identified by E-Rate stakeholders, including FFL and CoSN. At the same time, by enumerating four non-limiting categories of eligible technology, the Commission finds that its approach also meets the recommendations of commenters that it ‘‘establish general categories of eligible offerings’’ without ‘‘specify[ing] the precise technologies or solutions that must be relied upon’’ and allow ‘‘[p]ilot participants to select any product and/ or services that fall into any of the eligible categories.’’ Its approach also ensures that most, if not all, of the cybersecurity services and equipment needed to implement recommendations from the CISA K–12 Cybersecurity Report, the Education Department K–12 Digital Infrastructure Briefs, and other Federal resources and guides are eligible while still allowing Pilot participants significant flexibility to determine the extent to which any of these specific measures would be most cost-effective for them to implement. While the Commission declines to make these or other Federal recommendations the sole basis for determining eligibility for the purposes of the Pilot, it strongly encourages all participants to consider these Federal recommendations, particularly those that can be implemented at little or no cost, as part of their assessment of which services and equipment to request to be funded through the Pilot. The Commission directs the Bureau to identify these Federal recommendations, and it directs the Bureau and USAC to facilitate access to these recommendations by including information related to them on relevant program websites and in training materials that each entity makes available to Pilot participants. The Commission further directs the Bureau and USAC to periodically update the information provided on their respective websites and in the training materials to reflect relevant updates to the recommendations that may issue during the duration of the Pilot. 29. The Commission finds that specifying eligibility based on broader considerations is appropriate in the context of a Pilot that aims to study the effectiveness of a wide variety of technological solutions. The Commission further finds that its approach, in which it declines to attempt to exhaustively list every possible technological category or eligible service or piece of equipment within a category, is reasonable and reflects the rapidly-changing nature of the technical solutions available to VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 address cybersecurity threats and attacks. Its approach also ensures that services or equipment are not deemed ineligible merely because the service provider or equipment-maker uses a label or term to describe it that is not specifically enumerated in the P–ESL. To provide participants with further flexibility, and in view of a lack of consensus around the terminology used to describe similar cyber solutions, the Commission makes eligible both the specific services and equipment identified in the P–ESL, as well as ones that have ‘‘substantially similar features or their equivalents.’’ The Commission also makes eligible security updates and patches, which will help to ensure that participants are protected even as threat vectors evolve over the course of the Pilot. The Commission finds that this will help to ensure that the services and equipment funded through the Pilot do not reach their end of useful life prematurely, thus avoiding waste in the Pilot Program. Finally, consistent with the flexible approach the Commission adopts, it clarifies that applicants are permitted to seek funding for multi-year licenses for eligible recurring services that are longer than three years, however, only services delivered within the Pilot Program period can be reimbursed using Pilot funds. Similarly, the costs of eligible services that will be incurred during the Pilot Program period are eligible, subject to compliance with procurement requirements and limitations on duplicative funding, even if prior years’ costs were paid with another funding source. 30. The Commission further finds its approach strikes a reasonable balance between specifying basic limits on the scope of eligible services and equipment, which reflects the limited funding available for the Pilot and the need to safeguard Pilot funds from being used on components unrelated to Pilot objectives, while providing participants with clarity and significant flexibility to address their unique cybersecurity threat profiles, which they are ultimately in the best position to assess. Moreover, its enumeration of four key categories of technology, and specific services and equipment within each area, ensures that USAC will be positioned to expediently conduct program integrity and service reviews and quickly issue funding decisions for the eligible Pilot Program services and equipment. 31. The Commission clarifies that its inclusion of a given technological category, equipment, or service in the P–ESL and/or any subsequent determination by the Bureau that a PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 specific piece of equipment or service is eligible in the Pilot Program, is not an endorsement by the Commission, the Bureau, or USAC that the equipment or service is sufficiently cost- or technologically-effective for its intended purpose (e.g., in preventing a breach, a loss of data, or other harm). Rather, the Commission expects participants to select equipment and services from among those that are eligible based on their own assessments of costeffectiveness in addressing their specific needs. Accordingly, a participant may not rely on eligibility determinations made by the Commission or the Bureau in the Pilot as a defense or safe harbor should it experience a cyber incident, including a breach, a data loss, or other harm. Moreover, the Commission clarifies that the services and equipment listed in the P–ESL are eligible only when they are used on or as a part of a participant’s school or library broadband network that directly furthers its educational mission. The Commission finds this clarification appropriate to ensure that it can satisfy the statutory purpose of the E-Rate program, as well as its goal of measuring the costs associated with cybersecurity services and equipment. The Commission also declines to limit eligible services and equipment for the Pilot to those that are used on E-Ratefunded broadband networks only. The Commission finds this step reasonable given that Pilot participants are not limited solely to current applicants in the E-Rate program. 32. In the Cybersecurity NPRM, the Commission sought comment on whether to make advanced and nextgeneration firewalls eligible for the Pilot and, if so, how to define the scope of these terms. The Commission adopts this proposal to enable Pilot participants to protect their networks from outside cyber attackers by blocking malicious or unnecessary network traffic. For purposes of the Pilot, the Commission defines an ‘‘advanced’’ or ‘‘nextgeneration’’ firewall as ‘‘equipment, services, or a combination of equipment and services that limits access between networks, excluding basic firewall services and components that are currently funded through the E-Rate program.’’ This definition is reflected in the P–ESL. 33. The Commission agrees with the vast majority of commenters that advanced or next-generation firewalls are a logical starting point and an important tool to include in the Pilot as it studies the potential use of universal service funding to protect eligible schools and libraries from cybersecurity threats and attacks. The Commission E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations also agrees that making these tools eligible in the Pilot will provide the Commission with a stronger understanding of the technical benefits and cost implications of potentially funding these tools in the broader ERate program. While no commenter directly opposed the view that advanced and next-generation firewalls could meaningfully improve security postures, a few commenters opined that the associated funding could be used more effectively in other ways, including to fund training of ‘‘staff and end-users.’’ The Commission disagrees with these commenters and find that funding advanced and next-generation firewalls is justified in light of the Commission’s previous findings establishing the value of these technologies, and it finds it reasonable to extend Pilot funding to these tools rather than to fund, e.g., training more broadly than described further below or the less-vetted alternatives raised by commenters. The Commission further finds that the funding of specific advanced firewall technologies will provide more quantifiable and tractable benefits compared with funding broad cybersecurity training programs, based on undetermined materials and methods. 34. However, the Commission does agree that funding some level of training will help to ensure that the Pilot-funded equipment and services are used effectively and for maximum benefit. Accordingly, it makes training eligible on terms similar to those in E-Rate, namely, when the training is included ‘‘as a part of installation services but only if it is basic instruction on the use of eligible equipment, directly associated with equipment installation, and is part of the contract or agreement for the equipment’’ and if it ‘‘occur[s] coincidently or within a reasonable time after installation.’’ The Commission finds that this approach balances the need to ensure that applicants have access to training that will enable them to effectively oversee, utilize, and supervise the use of the Pilot-funded equipment and services and prevent the limited Pilot funds from being disproportionately used for cybersecurity awareness training for staff and end-users, thereby, limiting the number of technical solutions that can be implemented and evaluated during the course of the Pilot. However, in contrast to the E-Rate program, it does not require that the training be provided ‘‘[o]n-site’’ to be eligible. The Commission finds it appropriate to fund off-site training as much of the equipment and services identified in the VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 P–ESL are likely to be supplied or otherwise provided to a participant remotely. The Commission notes that there are numerous free cybersecurity training resources already available through its Federal Government partners. The Commission also expects, based on its years of experience directing USAC’s administration of the E-Rate program, that vendors are likely to include basic training at no additional cost as part of their sale of the eligible equipment and services. 35. The Commission also clarifies that for the purposes of the Pilot Program eligibility rules that ‘‘advanced’’ and ‘‘next-generation’’ firewalls exclude services and/or equipment that are eligible in the E-Rate program. Participants are therefore required to cost allocate components or features that are eligible in E-Rate (e.g., basic firewall components and features) when seeking reimbursement for their eligible equipment and services in the Pilot. Its approach reflects a definition of the term ‘‘firewall’’ endorsed by the National Institute of Standards and Technology (NIST) with a carve out for services and equipment that are already funded through the E-Rate program. The Commission finds it is appropriate to adopt a broad definition as this is consistent with its objective to determine the technological benefits and monetary costs associated with a wide and diverse range of tools for addressing cybersecurity threats and attacks. At the same time, the Commission finds it reasonable to exclude from its definition basic firewall services and equipment that are currently funded through the E-Rate program. The Commission finds that this approach ensures that Pilot funds are spent efficiently, i.e., only on services and equipment not already funded through other USF programs, and that this approach will thus maximize the amount of data and information collected on cybersecurity tools during the Pilot. The Commission further finds that its approach provides sufficient clarity to Pilot participants, and flexibility to request funding for advanced firewalls as they may continue to evolve over the course of the Pilot, while avoiding difficulties associated with attempting to exhaustively enumerate all relevant technological features. To further address commenter views, and as reflected in the P–ESL, the Commission confirms that most, if not all, of the relevant features that commenters endorse as ‘‘advanced’’ and ‘‘nextgeneration’’ firewall features, including intrusion detection and prevention, PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 61289 application-level inspection, antimalware and anti-virus protection, virtual private network (VPN), Domain Name System (DNS) security, distributed denial-of-service (DDoS) protections, and content filtering technologies, are eligible for the Pilot. 36. The Commission declines to adopt the proposal of some commenters, made in this proceeding and in response to the Bureau’s recent Public Notices related to the scope of the Funding Year 2024 E-Rate ESL, that it immediately makes advanced and/or next-generation firewalls eligible in the E-Rate program, even as it continues to study the benefits and costs of other services and equipment through the proposed Pilot. Making advanced and/or nextgeneration firewalls immediately eligible in the E-Rate program would run directly counter to its proposed purpose of the Pilot Program to, among other things, ‘‘measur[e] the costs associated with . . . advanced firewall services, and the amount of funding needed to adequately meet the demand for these services if extended to all ERate participants.’’ As similarly noted by the National Education Organizations (EdGroup), an aim of the Pilot is to further ‘‘demonstrate the need for and costs of cybersecurity measures such as advanced firewalls, and to gauge how districts would respond to available federal funding.’’ The Commission finds it reasonable, and consistent with its obligations to be a careful steward of the limited USF funds, to first study the costs and benefits of advanced and/or next-generation firewalls in the Pilot, before making any determination on whether and how to potentially make these services and equipment eligible through the E-Rate program. 37. Next, the Commission makes endpoint protection, including antivirus, anti-malware, and antiransomware, services and equipment eligible in the Pilot so that participants can protect their networks from potential vulnerabilities introduced by desktops, laptops, mobile devices, and other end-user devices that connect to their networks. For the purposes of the Pilot, the Commission defines endpoint protection as ‘‘equipment, services, or a combination of equipment and services that implements safeguards to protect school- and library-owned end-user devices, including desktops, laptops, and mobile devices, against cybersecurity threats and attacks.’’ This definition is reflected in the P–ESL. 38. The Commission agrees with the many commenters who argue for the inclusion of the specific endpoint technologies that it makes eligible. The Commission also agrees with E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61290 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations commenters that providing funding for endpoint protection should be a priority in investigating ways to improve a school’s or library’s network security. The Commission finds that its approach is justified as school and library networks continue to evolve to include an ever increasing number of endpoint devices, including desktops, laptops, and mobile devices that serve as points of vulnerability. Moreover, the Commission finds that this approach provides funding to address the Center for internet Security’s (CIS) observations that a large percentage of cyberattacks involve ransomware, malware, web application hacking, insider and privilege misuse, and target intrusions. No commenter objects to the Pilot funding endpoint protection. The Commission further finds that its definition of endpoint protection is reasonable as it largely reflects a definition endorsed by NIST, but allows for tools to be software- or non-softwarebased and emphasizes that, to be eligible, tools must defend against cyberattacks. 39. The Commission also makes identity protection and authentication tools eligible in the Pilot so that participants can prevent malicious actors from accessing and compromising their networks under the guise of being legitimate users. Such tools may include DNS/DNS-layer security, content blocking and filtering/URL filtering, multi-factor authentication (MFA)/ phishing-resistant MFA, single sign-on (SSO), and event logging. For the purposes of the Pilot, the Commission defines identity protection and authentication as ‘‘equipment, services, or a combination of equipment and services that implements safeguards to protect a user’s network identity from theft or misuse and/or provide assurance about the network identity of an entity interacting with a system.’’ This definition is reflected in the P– ESL. 40. The Commission agrees with the large number of commenters who argue for the inclusion of the specific identity protection and authentication technologies that it makes eligible. The Commission also agrees with commenters that deploying these tools will better ensure that unauthorized users will be unable to gain network access, unable to cause network damage if they do gain access, and/or provide an early warning to schools and libraries of unusual or anomalous behavior that could signal the presence of near and future cyber threats or attacks while they can still be effectively remediated. No commenter objects to the Pilot funding identity protection and VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 authentication technologies. Moreover, the Commission finds that its definition of identity protection and authentication is reasonable as it largely reflects a definition of ‘‘identity authentication’’ endorsed by NIST, and also clarifies that protection involves protection from theft or misuse. 41. The Commission further makes network monitoring, detection, and response, including the use of security operations centers (SOCs) for managed cybersecurity services, eligible in the Pilot so that participants can promptly and reliably detect and neutralize malicious activities that would otherwise compromise their networks. For purposes of the Pilot, the Commission defines monitoring, detection, and response as ‘‘equipment, services, or a combination of equipment and services that monitor and/or detect threats to a network and that take responsive action to remediate or otherwise address those threats.’’ This definition is reflected in the P–ESL. 42. The Commission agrees with the large number of commenters who argue for the inclusion of the specific monitoring, detection, and response technologies that it makes eligible. The Commission also agrees with commenters who advocate for the inclusion of these services and equipment as an important approach to remediating cybersecurity threats and attacks, particularly given the limited resources of schools/libraries to hire or retain staff or other personnel to conduct these activities themselves. No commenter objects to the funding of network monitoring, detection, and response solutions. 43. The Commission imposes a number of limitations on eligibility to ensure the efficient and appropriate use of the limited Pilot funds, and to avoid duplicative funding, protect against waste, fraud, and abuse, and stretch the limited support available through the Pilot. First, the Commission makes ineligible for the Pilot funding any services, equipment, or associated cost that is already eligible through the ERate program. The Commission similarly makes ineligible for Pilot funding any service, equipment, or associated cost for which an applicant has already received full reimbursement, or plans to apply for full reimbursement, through any other USF or Federal, state, Tribal, or local government program through which reimbursement is sought. Participants may, however, use Pilot funding to support Pilot-eligible services and equipment that participants were previously paying for themselves, subject to its competitive bidding rules, PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 as this will allow the Commission to evaluate the efficacy of using universal service funding to support cybersecurity services and equipment, while potentially freeing up funding for participants to use for other needs. The Commission finds that limiting eligibility in this manner ensures that the Commission maximizes the use of the limited Pilot funding by eliminating the provision of redundant or duplicative support for the same cybersecurity services and equipment funded through other sources. It will also maximize the data and information the Commission is able to collect on new services and equipment not already funded through E-Rate or other programs, thus efficiently using Pilot resources to best inform any potential Commission action based on the Pilot data. As is customary in E-Rate, the Commission requires Pilot participants to perform a cost allocation to remove from their funding requests costs associated with ineligible components or functions of an otherwise eligible equipment or service. 44. In the Cybersecurity NPRM, the Commission proposed to limit eligibility to ‘‘equipment that is network-based (i.e., that excludes end-user devices, including, for example, tablets, smartphones, and laptops) and services that are network-based and/or locally installed on end-user devices, where the devices are owned or leased by the school or library,’’ and to equipment and services that are ‘‘designed to identify and/or remediate threats that could otherwise directly impair or disrupt a school’s or library’s network, including to threats from users accessing the network remotely.’’ The Commission adopts this proposal in the P–ESL with a clarification that ‘‘network-based’’ services include those that are cloud-based and server-based. In doing so, the Commission address concerns raised by some commenters by confirming that the term ‘‘networkbased’’ solutions includes both cloud and server-based solutions. The Commission finds this clarification appropriate since both servers and cloud architectures are used in conjunction with a network. 45. In taking this action, the Commission disagrees with the view expressed by Clark County School District (CCSD) that limiting eligibility in the way it had proposed would ‘‘not go far enough in protecting end-users.’’ Contrary to CCSD’s views, the Commission’s consideration for eligibility specifically encompass ‘‘enduser devices, where the devices are owned or leased by the school or library.’’ The Commission also disagrees E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations with CTIA’s view that eligibility should extend to end-user devices not owned or leased by the school or library since ‘‘leaving even one device exposed compromises an entire network.’’ While the Commission is sympathetic to this view on a technical level, it finds it administratively and financially impractical to expand eligibility to an even larger (and unknowable) number of additional devices that students, school staff, and library patrons may seek to connect to their networks over the duration of the Pilot Program. For purposes of the Pilot, the Commission therefore prioritize protection for (i.e., limit eligibility to) devices that are the most essential to a school’s or library’s educational mission and likely to be used to convey traffic on the networks of these participants. The Commission’s overall approach further addresses CTIA’s concerns by making a wide range of network-based protections available to monitor, detect, and remediate potential threats introduced by an end-user device that does not qualify for funding under Pilot Program rules. Practically speaking, schools and libraries cannot as easily limit access to their networks by their leased and owned devices while still fulfilling their core educational mission. The Commission thus finds that its approach strikes a reasonable balance between affording protections to the devices most essential and likely to be used on a school’s or library’s network, reducing threats that may be posed by nonfunded devices (e.g., through its decision to make eligible network-level protection technologies) and effectively deploying the limited amount of Pilot funding to provide benefits to a diverse range of schools and libraries. Accordingly, for these reasons and those previously provided in the Cybersecurity NPRM, the Commission adopts its proposal as clarified. 46. To further protect the Pilot’s limited funds, the Commission restricts eligibility in a number of ways. The Commission deems ineligible (i) staff salaries and labor costs for a participant’s personnel and (ii) beneficiary and consulting services that are not related to the installation and configuration of the eligible equipment and services. This mirrors restrictions in the E-Rate program that have proven to be effective in conserving the limited USF funds. The Commission expects that this action will provide similar benefits in the context of the Pilot. The Commission similarly deems ineligible insurance costs and any costs associated with responding to specific ransom demands. The Commission finds that VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 these restrictions are necessary to ensure that the limited Pilot funding is used for the evaluation of specific technologies, i.e., eligible cybersecurity services and equipment, so that it can gain maximum insight into the technical effectiveness of those offerings. The Commission finds it reasonable to exclude these enumerated uses from the Pilot, which has even more limited funding available as compared to the ERate program. 47. In the Cybersecurity NPRM, the Commission sought comment on ‘‘whether it should place restrictions on the manner or timing of a Pilot participant’s purchase of security measures,’’ including whether ‘‘funding [should] be limited to a participant’s one-time purchase of security measures or [if it] should . . . cover the on-going, recurring costs that a Pilot participant may incur, for example, in the form of continual service contracts or recurring updates to the procured security measures.’’ The Commission received only a few comments in response with commenters suggesting that any such restrictions should be minimally burdensome and avoid unnecessarily interfering with participants’ attempts to obtain funding support. Accordingly, the Commission confirms that Pilot participants may request reimbursement for one-time purchases, as well as the recurring costs of eligible security measures. As discussed in this proceeding, Pilot participants will be permitted to request reimbursement as expenses are incurred, whether for onetime or recurring expenses, subject to the limitations regarding participants’ budgets as well as funding commitments. 48. Supply Chain Restrictions. In the Cybersecurity NPRM, the Commission proposed to apply the Secure and Trusted Communications Networks Act of 2019 to Pilot participants by prohibiting these participants from using any funding obtained through the program to purchase, rent, lease, or otherwise obtain any of the services or equipment on the Commission’s Covered List or to maintain any of the services or equipment on the Covered List that was previously purchased, rented, leased, or otherwise obtained. The Commission also sought comment on whether ‘‘there are any other restrictions or requirements that it should place on recipients of Pilot funds based on the Secure [and Trusted Communications] Networks Act and/or other . . . concerns related to supply chain security.’’ The Commission adopts its proposal to bar Pilot participants from using Pilot funding in ways prohibited by the Secure and PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 61291 Trusted Communications Networks Act and/or the Commission’s rules, including §§ 54.9 and 54.10 of the Commission’s rules, that implement the Secure and Trusted Communications Networks Act. Accordingly, Pilot participants are prohibited by § 54.9 of the Commission’s rules from using funding made available through the Pilot to ‘‘purchase, obtain, maintain, improve, modify, or otherwise support any equipment or services produced or provided by any company posing a national security threat to the integrity of communications networks or the communications supply chain,’’ including Huawei Technologies Company and ZTE Corporation, and their parents, affiliates, and subsidiaries. Pilot participants are also prohibited by § 54.10 of the Commission’s rules from using Pilot funding to ‘‘[p]urchase, rent, lease, or otherwise obtain any . . . communications equipment or service’’ or ‘‘[m]aintain any . . . communications equipment or service previously purchased, rented, leased, or otherwise obtained’’ that is included on the Commission’s Covered List. The Commission notes that the entities, services, and equipment designated under these rules may evolve over time as the Commission’s Public Safety and Homeland Security Bureau (PSHSB) revises its designations of covered companies and/or issues updates to the Covered List. It is the responsibility of Pilot participants to ensure they remain in compliance with the Secure and Trusted Communications Networks Act, and the Commission’s related rules, if such revisions are made. The Commission finds that these actions will effectively ensure that potential risks and vulnerabilities in Pilot participants’ communications networks are addressed in the manner intended and directed by Congress in the Secure and Trusted Communications Networks Act. Cisco generally supports this approach, and no commenter opposes it. 49. Application Process for Pilot Program. The Commission adopts application and selection processes for the Pilot Program patterned after the Connected Care Pilot Program, adopt several of the application, selection, and administrative proposals from the Cybersecurity NPRM, and designate USAC to be the Administrator of the Pilot Program. In the Cybersecurity NPRM, the Commission proposed to structure the Pilot Program in a manner similar to the Connected Care Pilot Program. In particular, the Commission proposed that schools, libraries, and consortia would apply to be Pilot participants and that those entities E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61292 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations selected to participate in the Pilot would be eligible to apply for funding for eligible cybersecurity services and equipment. The Commission also proposed that Pilot participants would receive a funding commitment and, after receipt of the commitment, would be eligible to receive cybersecurity services and equipment and submit requests for reimbursement for Pilot funding. The Commission further proposed that USAC be appointed the Administrator of the Pilot Program. Two commenters specifically expressed support for its proposal to structure the Pilot in a manner similar to the Connected Care Pilot Program. Only one commenter, the American Library Association (ALA), addressed its proposal that USAC be appointed the Administrator of the Pilot Program, agreeing that the application process and other aspects of the Pilot Program should be administered by USAC. 50. The Commission also proposed in the Cybersecurity NPRM that entities interested in participating in the Pilot be required to submit a Pilot Program Application (FCC Form 484) describing their proposed use of Pilot funds, including, but not limited to, the following information: (i) identification and contact information; (ii) cybersecurity posture and risk management practices; (iii) information on unauthorized access and cybersecurity incidents; (iv) the specific types of cybersecurity services and equipment to be purchased with Pilot funds; and (iv) how the entities plan to collect data and track their cybersecurity progress if selected as a Pilot participant. While there was minimal opposition to the collection of general information, the majority of commenters recommended against the collection of applicant-specific cybersecurity information. For example, some commenters recommended that the Commission refrain from seeking information about previous cyber threats, attacks, or incidents as part of the FCC Form 484 application. Still others recommended that applicants not be required to provide details regarding their cybersecurity postures, network environments, or current protection measures (or lack thereof). Several commenters recommended that the FCC Form 484 application process be minimally burdensome, and a few commenters recommended that it align with E-Rate tools and concepts that are familiar to E-Rate applicants wherever possible. 51. Finally, The Commission proposed in the Cybersecurity NPRM that applicants and participants submit their FCC Form 484 applications via an VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 online platform designed and operated by USAC and inquired as to confidentiality or security concerns. The Commission also asked how it could best leverage its prior experience in other USF and congressionallyappropriated programs and sought comment on lessons learned. For administrative efficiency, the Commission further proposed that the Bureau select Pilot participants in consultation with the Office of Economics and Analytics (OEA), PSHSB, and the Office of the Managing Director (OMD), as needed. The Commission also proposed to delegate to the Bureau the authority to implement the proposed Pilot and direct USAC’s administration of the program consistent with the Commission’s rules and oversight. No commenter addressed the submission of the FCC Form 484 applications using an online platform designed and operated by USAC, though some expressed concerns about the confidentiality and security of cybersecurity data provided as part of the application process. Comments related to past experience and lessons learned focused on the requests for reimbursement and invoicing processes, are discussed in the Order. Many commenters supported the Commission’s legal authority to conduct the Pilot Program, but did not address Bureau review of Pilot Program applications in consultation with OEA, PSHSB, and OMD, or the delegation of authority to the Bureau to implement the Pilot or direct USAC’s administration of the Pilot. 52. Based on the record, the Commission adopts several of the proposals from the Cybersecurity NPRM. Specifically, the Commission adopts the application, selection, and administrative proposals, and it designates USAC to be the Administrator of the Pilot. In doing so, the Commission is mindful of the concerns expressed by commenters about the scope of information to be included in the FCC Form 484 application and agree that the initial application process would benefit from a decrease in the amount of cybersecurity-sensitive school and library data requested. To that end, the FCC Form 484 application will be split into two parts. The first part will collect a more general level of cybersecurity information about the applicant and its proposed Pilot project, and will use prepopulated data where possible, as well as a number of ‘‘yes/no’’ questions and questions with a predetermined set of responses (i.e., multiselect questions with predefined answers). The second PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 part will collect more detailed cybersecurity data and Pilot project information, but only from those who are selected as Pilot participants. The Commission will treat all cybersecurityrelated information requested and provided in the FCC Form 484 as presumptively confidential, and will not make it routinely available for public inspection. 53. To be considered for the Pilot, an applicant must complete and submit part one of the FCC Form 484 application describing its proposed Pilot project and providing information to facilitate the evaluation and eventual selection of high-quality projects for inclusion in the Pilot. Specifically, the applicant must explain how its proposed project meets the considerations outlined below. In addition, the applicant must present a clear strategy for addressing the cybersecurity needs of its K–12 school(s) and/or library(ies) pursuant to its proposed Pilot project, and clearly articulate how the project will accomplish the applicant’s cybersecurity objectives. The Commission anticipates that successful applicants will be able to demonstrate that they have a viable strategic plan for providing eligible cybersecurity services and equipment directly to the school(s) and/or library(ies) included in their proposed Pilot projects. Further, the Commission expects applications to be tailored to the unique circumstances of each applicant. USAC and/or the Bureau may disqualify from consideration for the Pilot those applications that provide a bare minimum of information or are generic or template in nature. 54. Part One Application Information. For the first part of the FCC Form 484 application, the Commission directs the Bureau and USAC to collect a general level of cybersecurity information from schools, libraries, and consortia that apply to participate in the Pilot Program. At a minimum, applications to participate in the Pilot Program must contain the following required information: • Names, entity numbers, FCC registration numbers, employer identification numbers, addresses, and telephone numbers for all schools, libraries, and consortium members that will participate in the proposed Pilot project, including the identity of the consortium leader for any proposals involving consortia. • Contact information for the individual(s) who will be responsible for the management and operation of the proposed Pilot project (name, title or E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations position, telephone number, mailing address, and email address). • Applicant number(s) and type(s) (e.g., school; school district; library; library system; consortia; Tribal school or library (and Tribal affiliation)), if applicable; and current E-Rate participation status and discount percentage, if applicable. • A broad description of the proposed Pilot project, including, but not limited to, a description of the applicant’s goals and objectives for the proposed Pilot project, a description of how Pilot funding will be used for the proposed project, and the cybersecurity risks the proposed Pilot project will prevent or address. • The cybersecurity equipment and services the applicant plans to request as part of its proposed project, the ability of the project to be selfsustaining once established, and whether the applicant has a cybersecurity officer or other seniorlevel staff member designated to be the cybersecurity officer for its Pilot project. • Whether the applicant has previous experience implementing cybersecurity protections or measures (answered on a yes/no basis), how many years of prior experience the applicant has (answered by choosing from a preset menu of time ranges (e.g., 1 to 3 years)), whether the applicant has experienced a cybersecurity incident within a year of the date of its application (answered on a yes/no basis), and information about the applicant’s participation or planned participation in cybersecurity collaboration and/or informationsharing groups. • Whether the applicant has implemented, or begun implementing, any Education Department or CISA best practices recommendations (answered on a yes/no basis), a description of any Education Department or CISA free or low-cost cybersecurity resources that an applicant currently utilizes or plans to utilize, or an explanation of what is preventing an applicant from utilizing these available resources. • An estimate of the total costs for the proposed Pilot project, information about how the applicant will cover the non-discount share of costs for the Piloteligible services, and information about other cybersecurity funding the applicant receives, or expects to receive, from other Federal, state, local, or Tribal programs or sources. • Whether any of the ineligible services and equipment the applicant will purchase with its own resources to support the eligible cybersecurity equipment and services it plans to purchase with Pilot funding will have any ancillary capabilities that will allow VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 it to capture data on cybersecurity threats and attacks, any free or low-cost cybersecurity resources that the applicant will require service providers to include in their bids, and whether the applicant will require its selected service provider(s) to capture and measure cost-effectiveness and cyber awareness/readiness data. • A description of the applicant’s proposed metrics for the Pilot project, how they align with the applicant’s cybersecurity goals, how those metrics will be collected, and whether the applicant is prepared to share and report its cybersecurity metrics as part of the Pilot Program. To facilitate the inclusion of a diverse set of Pilot projects and to target Pilot funds to the populations most in need of cybersecurity support, particularly those with minimal or no cybersecurity protections today, the Commission anticipates selecting projects from, and providing funding to, a combination of large and small and urban and rural schools, libraries, and consortia, with an emphasis on funding proposed Pilot projects that include low-income and Tribal applicants. Similarly, and addressing concerns expressed by ActZero, the Commission encourages participation in the Pilot by a broad range of service providers and note that the rules and requirements it adopts here do not discourage new companies from participating. Nor does it require service providers to have preexisting service provider identification numbers (SPIN) before submitting cybersecurity bids or previous E-Rate experience before participating in the Pilot. 55. When an applicant submits part one of its FCC Form 484 application, it will be required to certify, among other things, that it is authorized to submit the application and is responsible for the data being submitted; the data being submitted is true, accurate, and complete; if selected for the Pilot, it will comply with all rules and orders governing the program, including the competitive bidding rules and the requirement to pay the non-discount share of costs for Pilot-eligible services and equipment from eligible sources; all requested Pilot-funded eligible services and equipment will be used for their intended purposes; the schools, libraries, and consortia listed in the FCC Form 484 application are not already receiving, and do not expect to receive, other funding for the same cybersecurity services and equipment for which Pilot funding is being sought; it may be audited pursuant to its Pilot Program application and will retain any and all records related to its application for 10 years; and, if audited, it will produce PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 61293 those records at the request of the appropriate officials. The applicant must also certify that it understands that failure to comply with the Pilot Program rules and order(s) may result in the denial of funding, cancellation of funding commitments, and/or the recoupment of past funding disbursements. The Commission emphasizes that it is committed to protecting the integrity of the Pilot and ensuring that USF funds disbursed through the Pilot are used for eligible and appropriate purposes. In the event of a violation of Pilot Program rules or requirements, the Commission reserves the right to take appropriate actions, including, but not limited to, seeking recovery of funds or further enforcement action. Applicants who participate in the Pilot Program must also comply with all applicable Federal and state laws, including sections 502 and 503(b) of the Act, title 18 of the United States Code, and the Federal False Claims Act. 56. While the Commission understands the desire by some commenters to keep the initial application as streamlined as possible, in order to evaluate the proposed Pilot projects and select well-defined and sustainable projects, it is incumbent on us to require certain information at the application stage. Thus, the Commission disagrees with commenters who say that applicants will need to possess a prohibitive amount of knowledge during the application stage and will not be able to describe how they propose to use Pilot Program funds until after they have been selected as Pilot participants. Although an applicant may not know the precise cybersecurity services and equipment it would seek to fund with Pilot funding, it is unlikely that an applicant would apply to participate in the program without having some general cybersecurity goals or plans for using the funding, if selected as a participant. Additionally, the Order contains a list of Pilot-eligible services and equipment that will aid applicants as they begin formulating their proposed Pilot projects in advance of the opening of the FCC Form 484 application window. Applicants, therefore, should do their best to provide the requested information in the application, including information on estimated costs related to their proposed cybersecurity project. 57. Selection Process for Pilot Program. To select Pilot participants, the Commission directs the Bureau and USAC to use limited prerequisites and a broad and objective set of evaluation factors with an emphasis on funding low-income and Tribal entities, consistent with the E-Rate and E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61294 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations Connected Care Pilot programs. In the Cybersecurity NPRM, the Commission sought comment on how to evaluate and prioritize Pilot applications. In particular, the Commission sought comment on what prerequisites, if any, the Commission should adopt to select participants. For example, it asked whether the adoption of free and lowcost cybersecurity tools and resources should be required for an applicant to be selected as a Pilot participant; Pilot participants should be required to correct known security flaws and conduct routine back-ups; Pilot participants should be required to join cybersecurity information-sharing groups, such as MS–ISAC or K12 SIX; Pilot participants should be required to implement, or demonstrate their plans to implement, recommended best practices from organizations like the Education Department, CISA, and NIST; and Pilot participants should be required to take steps to improve their cybersecurity posture by designating an officer or senior staff member to be responsible for cybersecurity implementation, updates, and oversight. The Commission received mixed reactions to its proposed use of prerequisites to select Pilot participants. At least one commenter thought the Commission should not utilize prerequisites to determine Pilot participation. Commenters were split on the proposal to require the adoption of free and low-cost cybersecurity tools and resources for an applicant to be selected as a Pilot participant. No commenter spoke directly to whether Pilot participants should be required to correct known security flaws or conduct routine back-ups as part of the Pilot Program, though a small number of commenters discussed whether Pilot funding should be targeted to allow schools and libraries to implement some or all of the items contained in the CISA list of highest priority steps. Some commenters thought requiring Pilot participants to join cybersecurity information-sharing groups was too onerous, while others found such a requirement beneficial. Some commenters supported the requirement for Pilot participants to implement, or demonstrate plans to implement, recommended best practices from organizations like the Education Department, CISA, and NIST or recommended using the best practices to evaluate Pilot Program success, though at least one commenter expressed reservations about the Commission doing so. The State E-Rate VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 Coordinators Alliance (SECA) proposed that the Commission ‘‘specify that completion or submission of an application for the free vulnerability assessment offered by CISA . . . [be] sufficient for meeting the assessment prerequisite as part of the Form 484 application process.’’ Clear Creek Amana CSD (Clear Creek), however, cautioned against relying on Federal resources outside of a limited incident response plan following the NIST frameworks. A few commenters supported the proposal that a school, library, or consortium should have implemented or begun implementing a cybersecurity framework or program to participate in the Pilot. However, others called for selection based on a holistic view of an applicant’s cybersecurity expertise and risk. CIS stated that designating an officer or senior staff member to be responsible for cybersecurity implementation, updates, and oversight was an important step towards cyber maturity that should be achievable by Pilot participants. The Alliance for Digital Innovation (ADI) similarly recommended that the Commission make leadership commitment a requirement to participate in the Pilot Program, noting that ‘‘[s]enior leadership commitment plays a pivotal role in prioritizing cybersecurity within organizations.’’ 58. The Commission also asked questions about reliance on objective versus subjective factors and how such factors should be used to select Pilot participants. In terms of objective factors, it asked whether the selection of Pilot participants should be based on ERate category two discount rate levels, location (e.g., urban vs. rural), and/or participant size (i.e., small vs. large). The Commission also sought comment on whether certain of those factors are more or less important than others from a Pilot selection standpoint and requested the underlying rationale for such determinations. Commenters generally agreed that the Pilot should prioritize the neediest applicants or those applicants that qualify for the highest discount percentages in the ERate program. Commenters overwhelmingly supported the Commission’s proposal to incorporate a diverse array of applicants in the Pilot, including both urban and rural and large and small participants. Many commenters advocated for the preferential selection of consortia and statewide, regional, and local government applications, noting that such applications allow schools and PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 libraries to stretch their cybersecurity dollars and extend cybersecurity protections to a larger pool of recipients. Similarly, other commenters encouraged the Commission to enable school districts to work across district and community boundaries to participate in the Pilot Program. 59. For subjective Pilot selection factors, the Commission inquired as to whether the Pilot Program would benefit from including schools and libraries with advanced cybersecurity expertise only or whether cybersecurity expertise should not factor into Pilot participant selection at all. Relatedly, the Commission also sought comment on how it could ensure that schools and libraries that lack funding, expertise, or are otherwise under-resourced could meaningfully participate in the Pilot. The Commission asked commenters to address whether Pilot participants should be required to demonstrate that they have started to take actions to improve their cybersecurity posture. Conversely, the Commission also asked commenters whether a school or library should be required to provide a certification or other confirmation that, absent participation in the Pilot, it does not have the resources to start implementing CISA’s K–12 cybersecurity recommendations. Commenters generally agreed that the Pilot would most benefit from including participants with a mix of cybersecurity expertise and varying cybersecurity postures. With respect to how to ensure that under-resourced schools and libraries are able to meaningfully participate in the Pilot, commenters suggested that the FCC and USAC conduct early and detailed Pilot Program outreach, including providing technical and other assistance to those applicants who are likely to need it most. No commenters addressed the proposal that a school or library be required to provide a certification or other confirmation that it does not have the resources to start implementing the CISA K–12 cybersecurity recommendations absent selection for the Pilot. CTIA recommended that applicants be required to disclose funding from non-Pilot sources and explain how Pilot Program funding would complement, but not duplicate, the applicant’s existing cybersecurity tools and support. 60. Along these same lines, the Commission also asked whether participation in the Pilot should be limited to those schools and E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations libraries that have faced or are facing particular types of cybersecurity threats or attacks. In particular, it sought comment on the types of cybersecurity threats and attacks encountered by schools and libraries and how they should be evaluated, if at all, when selecting Pilot participants and similarly, whether an applicant’s previous history of cybersecurity threats or attacks should be taken into consideration as part of the Pilot Program selection process. The Commission also asked what role, if any, cybersecurity risk, geographic or socioeconomic factors, staffing constraints or financial need, or technical challenges should play in Pilot participant selection. Commenters urged the Commission to forgo reliance on whether an applicant has faced or is facing a particular type of cybersecurity threat or attack, an applicant’s previous history with cybersecurity threats or attacks, or the frequency with which an applicant has experienced a cybersecurity incident as drivers of Pilot participant selection. Commenters were generally supportive of selecting and prioritizing applicants who face geographic, socioeconomic, financial, and other challenges, or who serve lowincome and under-resourced populations. 61. The Commission agrees with commenters who support using a broad and objective set of evaluation factors to select Pilot Program participants. After reviewing the record, the Commission concludes that the Pilot Program goals will best be served by directing funding to: (1) the neediest eligible schools, libraries, and consortia who will benefit most from cybersecurity funding (i.e., those at the highest discount rate percentages); (2) as many eligible schools, libraries, and consortia as possible; (3) those schools, libraries, and consortia that include Tribal entities; and (4) a mix of large and small and urban and rural, schools, libraries, and consortia. Selecting Pilot participants in this manner is consistent with its standard practice in E-Rate of prioritizing funding for the most resource-constrained schools, libraries, and consortia and is logical to apply here. It also achieves its goal of ensuring that the Pilot contains a diverse crosssection of applicants with differing cybersecurity postures and experiences. The Commission directs the Bureau to weigh these considerations during the Pilot application review and participant selection processes. 62. The Commission has considered commenters’ suggestions regarding the potential application factors and have determined that the considerations VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 outlined will provide us with meaningful information with which it can select Pilot projects and participants. The Commission acknowledges that commenters suggested it weighs other considerations, but it believes that the considerations listed best enable it to select high-quality projects that will meet Pilot goals and target Pilot funding to the schools and libraries with the greatest need. Further, each of these considerations play an important part in helping us better understand the relationship of certain cybersecurity services and equipment to the overall cybersecurity health and posture of entities in varying contexts and with varying levels of cybersecurity expertise. 63. The Commission directs the Bureau and USAC to review the applications and select Pilot projects and participants based on applicants’ responses, weighing the considerations listed, in combination with the applicants’ category one discount rates. In selecting Pilot projects and participants, limited initial screening prerequisites should be employed, but the Bureau and USAC may exclude applications that are incomplete or do not meet Pilot Program eligibility standards. The Bureau and USAC should also work to ensure that, to the extent feasible and based on qualified applications, Pilot Program funding is not heavily concentrated in any particular state or region, and instead is distributed widely throughout the United States, including the District of Columbia and the U.S. territories, with an emphasis on funding proposed Pilot projects that include low-income and Tribal applicants. The Commission declines to require Pilot applicants or participants to join information-sharing organizations like MS–ISAC, though it highly encourages all applicants or participants to do so. In choosing participants for the Pilot, the Bureau and USAC should also consider the cost of the proposed Pilot project compared to the total Pilot Program cap. This does not mean that proposed Pilot projects should be evaluated based on their total project budgets, but, rather, the Bureau and USAC should seek to select an array of Pilot projects with varying costs that can all be funded within the Pilot Program’s cap. In addition, the Bureau and USAC should seek to select an array of Pilot participants with differing levels of exposure to cybersecurity threats and attacks, and ensuring that the selected Pilot participants include schools and libraries that currently have limited cybersecurity protections. Although PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 61295 applicants’ responses will be considered consistent with the considerations listed when evaluating proposed Pilot projects, the considerations are not determinative of whether a Pilot project will be selected because the Commission recognizes that each proposed Pilot project will have its own unique strengths and potential challenges. The Commission’s goal is to ensure the selection of proposed Pilot projects that present a well-defined plan for meeting the cybersecurity needs of specific schools, libraries, or consortia, with a particular emphasis on resourcechallenged and Tribal applicants and the three Pilot Program goals discussed in greater detail in the Order. 64. Prioritization. In the event that the number of FCC Form 484 applications received exceeds the number of projects that can be funded through the Pilot, the Commission directs the Bureau and USAC to prioritize the selection of Pilot participants by considering their funding needs in combination with the funding needs of the same type(s) of applicants. Under the rules for the Pilot, eligible schools and libraries may receive discounts ranging from 20 percent to 90 percent of the prediscount price of eligible services and equipment, based on indicators of need. Schools and libraries in areas with higher percentages of students eligible for free or reduced-price lunch through the National School Lunch Program (or a federally approved alternative mechanism) qualify for higher discounts for eligible services than those with lower levels of eligibility for such programs. The Commission’s priority rules for the Pilot provide that funds shall be allocated first to requests for support at the 90 percent discount rate. To the extent funds remain after discounts are awarded to entities eligible for a 90 percent discount, the rules Pilot rules provide that the Administrator shall continue to allocate funds for discounts to participants at each descending single discount percentage. The Pilot rules also provide that if sufficient funds do not exist to grant all requests within a single discount percentage, the Administrator shall allocate the remaining support on a pro rata basis over that single discount percentage level. Funding for libraries will be prioritized based on the percentage of free and reduced lunch eligible students in the school district that is used to calculate the library’s discount rate. Funding for individual schools that are not affiliated financially or operationally with a school district, such as private or charter schools that apply individually, will be prioritized E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61296 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations based on each school’s individual free and reduced student lunch eligible population. For those schools and libraries selected as Pilot participants that do not participate in the E-Rate program, their discount rate will be calculated based on indicators of need as outlined and their funding prioritized consistent with the prioritization rules for the Pilot described in this paragraph. This prioritization gives applicants serving the highest poverty populations first access to funds while allowing us to fund within a discount band even where funding is not sufficient to reach all participants in the band. This system of prioritization is also consistent with Fortinet’s recommendation that ‘‘the Commission . . . consider a tiered prioritization scheme for Pilot support requests’’ and the recommendations of commenters that those schools, libraries, and consortia with a higher discount rate receive funding ahead of those who are entitled to a lower discount rate. 65. Part Two Application Information. For the second part of the FCC Form 484 application, the Commission directs the Bureau and USAC to collect more detailed cybersecurity information from applicants who are selected to participate in the Pilot Program. The Commission has bifurcated the application into two parts, seeking a general level of cybersecurity information from applicants and leaving the more detailed cybersecurity reporting for the selected Pilot participants. This has the benefit of limiting the amount of sensitive cybersecurity information that will be provided by applicants at the application stage and will reduce the initial application burden. The Commission requires Pilot participants to provide such information to help establish a baseline that will enable it to effectuate the Performance Goals and Data Reporting discussed. Applicants should be aware, that, if selected to participate in the Pilot Program, they will be required to provide the following additional (or substantially similar) cybersecurity information, as applicable, and may be removed from the Pilot Program if they refuse or fail to do so: • Information about correcting known security flaws and conducting routine backups, developing and exercising a cyber incident response plan, and any cybersecurity changes or advancements the participant plans to make outside of the Pilot-funded services and equipment. • A description of the Pilot participant’s current cybersecurity posture, including how the school or VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 library is currently managing and addressing its current cybersecurity risks through prevention and mitigation tactics. • Information about a participant’s planned use(s) for other Federal, state, or local cybersecurity funding (i.e., funding obtained outside of the Pilot). • Information about a participant’s history of cybersecurity threats and attacks within a year of the date of its application; the date range of the incident; a description of the unauthorized access; a description of the impact to the K–12 school or library; a description of the vulnerabilities exploited and the techniques used to access the system; and identifying information for each actor responsible for the incident, if known. • A description of the specific Education Department or CISA cybersecurity best practices recommendations that the participant has implemented or begun to implement. • Information about a participant’s current cybersecurity training policies and procedures, such as the frequency with which a participant trains its school and library staff and, separately, information about student cyber training sessions, and participation rates. • Information about any nonmonetary or other challenges a participant may be facing in developing a more robust cybersecurity posture. 66. Instructions for Filing Applications. Iin order to facilitate the application process, the Commission plans to provide an application titled ‘‘Schools and Libraries Cybersecurity Pilot Program Application’’ (FCC Form 484) that applicants must use when submitting their project proposals to the Commission. Applicants will be required to complete each section of the first part of the application and make the required certifications. The applications for the Pilot Program must be submitted through the Pilot portal on USAC’s website during the announced FCC Form 484 application filing window discussed below. The Commission directs the Bureau to issue a Public Notice subsequent to the release of the Order that specifies the effective date of the Pilot Program rules and the filing window dates for submitting Pilot applications. The Public Notice must also include details on how to submit an application using the Pilot portal on USAC’s website. In response to concerns about the security and confidentiality of cybersecurity information provided as part of the Pilot, as stated previously, the Commission is only requiring more general information at the application PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 stage of the Pilot. The more detailed, cybersecurity-related information will only be provided by Pilot participants. Some commenters have expressed concerns that this type of information is sensitive and could be used by malicious cybersecurity actors for nefarious purposes. The Commission agrees and find that the cybersecurityrelated information that is being requested and provided in the FCC Form 484 constitutes sensitive business information and includes trade secrets. Accordingly, the Commission will treat it as presumptively confidential under its rules and will withhold it from public inspection. The Commission further notes that FCC Form 484 data will be protected by security protections built into USAC’s Pilot portal. 67. Instructions for Establishing Application Schedule and Reviewing Applications. The Commission delegates to the Bureau the authority to establish an application schedule consistent with the direction provided in the Order; review Pilot FCC Form 484 applications; and select Pilot projects and participants, doing so in an efficient and expedited manner. The Commission further directs the Bureau to consult with OEA, PSHSB, OMD, and the Office of General Counsel (OGC), as needed, regarding the review of Pilot applications and selection of participants. After selecting the Pilot participants, the Commission directs the Bureau to announce its selections through a Public Notice that will provide further detail about the Pilot Program requirements, including providing additional information and instruction regarding Pilot requirements for submitting the second part of the Form 484 application, competitive bidding, submitting requests for funding, and invoicing, as well as the Pilot-specific data and metrics reporting requirements discussed herein and the format for those reporting and metrics requirements. 68. Establishing an Application Filing Window. To facilitate an efficient and equitable application review process, the Commission directs the Bureau to establish an application filing window, after which it will review applications from all eligible applicants by weighing the considerations discussed. Establishing a single filing window was well received by those commenters who addressed the proposal and opening a single window will allow the Bureau to review all applications before making selections. The Commission expects that adopting a single FCC Form 484 application filing window and proceeding in this manner will assist with its goal of selecting a diverse cross- E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations section of Pilot participants with a particular focus on the under-resourced applicants who are most in need of cybersecurity funding. To further assist under-resourced applicants, the Commission directs the Bureau and USAC to offer dedicated training and office hours for applicants and participants who are less experienced with cybersecurity services and equipment, or with the E-Rate and ECF program forms and processes. 69. The Commission next adopts competitive bidding processes and rules for the Pilot Program that mirror the ERate program to ensure that the limited Pilot funds are used for the most costeffective eligible services and equipment; the integrity of the Pilot Program is protected; and potential waste, fraud, and abuse is prevented. The Commission directs the Bureau and USAC to model the Pilot Program requests for services, invoicing, and reimbursement processes and forms on existing E-Rate and ECF program processes and forms to the extent possible for the Pilot Program, consistent with record support. In particular, the Commission expects the Bureau and USAC to leverage the following FCC forms for the Pilot that will mirror existing E-Rate and ECF forms: (1) FCC Form 470 (Description of Services Requested and Certification Form); (2) FCC Form 471 (Description of Services Ordered and Certification Form); (3) FCC Form 472 (Billed Entity Applicant Reimbursement (BEAR) Form); and (4) FCC Form 474 (Service Provider Invoice (SPI) Form). The Commission requires Pilot participants and service providers to make certain certifications on Pilot Program forms to protect the integrity of the Pilot. The Commission also requires them to submit invoices with their reimbursement requests that support the amounts requested and approved in their Pilot FCC Form 471 applications. By modeling the Pilot processes and forms on existing E-Rate and ECF processes and forms, the Commission expects to save Pilot participants time needed to familiarize themselves with the new forms and reduce administrative cost and burden. 70. As in the E-Rate program, the Commission adopts competitive bidding processes and rules for the Pilot Program to ensure that the limited Pilot funds are used for the most costeffective eligible services and equipment, and to protect the integrity of the Pilot. Competitive bidding is a cornerstone of several USF programs, including the E-Rate and Connected Care Pilot programs, and is critical to ensuring that applicants obtain the most VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 cost-effective offering available. Currently, under the E-Rate program rules, to obtain support an applicant must first conduct a competitive bidding process and comply with the Commission’s competitive bidding rules. Applicants begin the competitive bidding process by filing a completed ERate FCC Form 470 with USAC. USAC, in turn, posts the form on its website for potential competing service providers to review and submit bids. An applicant must wait at least 28 days from the date on which its E-Rate FCC Form 470 is posted on USAC’s website before entering into a signed contract or other legally binding agreement with a service provider and submitting an E-Rate FCC Form 471 to seek funding for selected services and equipment. The E-Rate FCC Form 470 must specify and provide a description of the eligible services and equipment requested with sufficient detail to enable potential service providers to submit responsive bids. 71. In the Cybersecurity NPRM, the Commission proposed a competitive bidding process and rules for Pilot participants that mirror the existing ERate competitive bidding process and rules. Because of the structural similarities between the E-Rate program and the Pilot, the proven effectiveness of the E-Rate processes and rules, and the reduced compliance burden for Pilot participants who are already familiar with existing E-Rate requirements, it concludes that its proposal is reasonable and adopts it here. To begin, the Commission adopts a Pilot FCC Form 470, modeled after the E-Rate form, that Pilot participants will use to describe their desired Pilot-eligible services and equipment and initiate the competitive bidding process. Likewise, the Commission adopts competitive bidding requirements modeled on § 54.503 of the Commission’s rules, with which Pilot participants must comply to ensure they conduct an open and fair competitive bidding process. This includes, among other things, the requirement that a Pilot participant must wait at least 28 days from the date the Pilot FCC Form 470 is posted on USAC’s website before entering into a legally binding agreement or contract with a service provider and must submit a Pilot FCC Form 471 to seek funding for Pilot-eligible services and equipment. It also includes the requirement that before entering into an agreement or contract with a service provider(s), a Pilot participant carefully consider all bids submitted and select the most cost-effective service offering with price as the primary (i.e., most heavily-weighted) factor in the vendor PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 61297 selection process. Finally, it includes a restriction on the receipt of gifts and a requirement that the competitive bidding process be conducted in a fair and open manner (i.e., all potential service providers have access to the same information and are treated in the same manner throughout the entire competitive bidding process). 72. Because the competitive bidding process is essential to ensuring that Pilot participants obtain the most costeffective eligible services and equipment, protecting program integrity, and preventing potential waste, fraud, and abuse in the Pilot, the Commission declines CCSD’s recommendation that applicants with existing contracts for cybersecurity solutions be allowed to request Pilot Program funding to cover the cost of those contracts and be exempt from any competitive bidding requirements. Likewise, the Commission declines to provide an exemption to competitive bidding for costs that Pilot participants may be currently cost-allocating in ERate funding requests for advanced firewall services. Similarly, because an open and fair competitive bidding process hinges on all bidders being on equal footing, the Commission also declines E-Rate Central’s proposal that applicants be allowed to conduct their competitive bidding processes before submitting their FCC Form 484 applications and be permitted to work alongside their selected service providers to develop their proposed Pilot projects. Finally, to enable participants to select the services and equipment that best meets their needs, it clarifies, as SECA requests, that participants are permitted to require that the services or equipment to be purchased are interoperable with and/or compatible with existing services and equipment that have already been purchased. 73. The Commission does, however, establish a limited exemption to competitive bidding for Pilot participants who may be eligible to purchase services and equipment from master services agreements (MSAs) or their equivalent. Specifically, Pilot participants will not be required to seek competitive bids when seeking support for services and equipment purchased from MSAs negotiated by Federal, state, Tribal, or local governmental entities on behalf of such Pilot participants, if such MSAs were awarded pursuant to the ERate Form 470 process, as well as applicable Federal, state, Tribal, or local competitive bidding requirements. The Commission agrees with SECA that these MSAs or state master contracts are ‘‘efficient contract vehicles’’ and reflect E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61298 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations ‘‘cost-effective solutions for different components and different manufacturers.’’ Pilot participants will be required to use the mini-bid process if required by the relevant MSA or state master contract. The Commission finds that this exemption, which was similarly included in the Connected Care Pilot Program, will enable Pilot participants to benefit from competitively bid state master contracts and MSAs, and in so doing, will streamline the competitive bidding process and minimize the burden on Pilot participants. 74. As proposed in the Cybersecurity NPRM, the Commission adopts the Pilot FCC Form 471, modeled after the E-Rate FCC Form 471, for Pilot participants and their service provider(s). In the E-Rate program, applicants file an FCC Form 471 to request discounts on eligible services and equipment for the upcoming funding year. The E-Rate FCC Form 471 requires detailed descriptions of the services and equipment requested, including the costs of and service dates for the services and equipment; the selected service provider(s); and certifications regarding compliance with program rules. Applicants must wait until the Allowable Contract Date (ACD), which is 28 days after the E-Rate FCC Form 470 is certified and submitted to USAC, to certify and submit their E-Rate FCC Forms 471. Once an applicant certifies and submits its E-Rate FCC Form 471, USAC issues a Receipt Acknowledgment Letter (RAL) to both the applicant and its selected service provider(s). Following the issuance of the RAL, and after USAC conducts its PIA review process, USAC issues a Funding Commitment Decision Letter (FCDL) to both the applicant and the selected service provider(s), at which point they may begin to invoice after the receipt or delivery of the requested eligible services and/or equipment. 75. Similar to the E-Rate program, Pilot participants must file a Pilot FCC Form 471 to request discounts on eligible services and equipment. As with the E-Rate form, the Pilot FCC Form 471 will include information on the recipients of services and equipment and the selected service provider(s); detailed descriptions of the services and equipment requested, including their costs and service dates; and certifications regarding compliance with Pilot rules. Pilot participants will be required to wait until the ACD to certify and submit the Pilot FCC Form 471. Once a Pilot participant certifies and submits the Pilot FCC Form 471, USAC will provide the Pilot participant an opportunity to correct any errors on the VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 form, through a RAL or similar process, after which USAC will issue an FCDL. Pilot participants will submit Pilot FCC Form(s) 471 to cover the full Pilot project, and will be allowed to submit service and equipment substitution change requests, if needed, during the three-year Pilot. 76. The Commission directs the Bureau and USAC to announce and open a Pilot FCC Form 471 application filing window to speed the availability of funds to the selected Pilot participants. During this application filing window, selected Pilot participants may submit their Pilot FCC Form(s) 471 to request eligible equipment and services that are needed to implement their Pilot project through the online system implemented by USAC. As the Commission is adopting forms, processes, and procedures that are used in the E-Rate and ECF programs, it expects that this application filing window process will be familiar to most of the selected Pilot participants. Pilot participants will have a three-year period from the date of their FCDL to receive and implement the services and equipment funded through the Pilot. Pilot participants will be required to report on the progress of their Pilot projects and how the Pilot funding is being used to improve their cybersecurity postures throughout the three-year term, consistent with the annual reporting requirements discussed in the Order. The Commission further expects that using a Pilot FCC Form 471 application filing window will allow USAC to quickly size demand, review applications, and issue funding decisions, thereby allowing the flow of funding more quickly to Pilot participants. In the event that demand does not exceed available funds, the Commission delegates authority to the Bureau to direct USAC to open additional Pilot FCC Form 471 application filing windows and to commit additional funding up to each Pilot participant’s allotted budget. No Pilot participant will be allowed to request or receive more funding than what is calculated based on the per-Pilot participant budget rule. 77. Invoicing. Consistent with the ERate program, and pursuant to the Second Report and Order, 68 FR 36931, June 20, 2003, the Commission permits both Pilot participants and service providers to submit requests for reimbursement using the Pilot FCC Forms 472 and 474, respectively. The Commission agrees with those commenters who explain that allowing both participant and service provider invoicing options is the most efficient and direct way to provide funding to PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 eligible schools and libraries. The Commission concludes that, on balance, allowing both invoicing options for the submission of Pilot reimbursement requests is an efficient and effective way to ensure that participants are actually able to purchase Pilot-eligible services and equipment, and aligns most closely with the E-Rate program, which commenters support. Consistent with ERate program rules, Pilot participants must be permitted to select the method of invoicing. For administrative simplicity, Pilot participants must also specify on their Pilot FCC Form(s) 471 whether the participant or the service provider will be conducting the invoicing for each funding request. As part of the reimbursement process, Pilot participants and service providers must provide the required certifications, along with any necessary documentation to support their requests. Requests for reimbursement must be submitted to USAC within 90 days after the last date to receive service, and Pilot participants or service providers may request a one-time extension of the invoicing filing deadline, if the request is timely filed. 78. Invoicing Documentation. As in the ECF program, to protect the integrity of the Pilot and protect against potential waste, fraud, and abuse, the Commission requires Pilot participants and service providers to submit, along with their reimbursement requests, invoices detailing the items purchased. Invoices must support the amounts requested and approved in the Pilot FCC Form 471 application. The Commission disagrees with Lumen Technologies, Inc. and NCTA that the submission of invoices with reimbursement requests would limit flexibility for Pilot participants and serves no purposes in this context. Rather, the submission of invoices with the Pilot FCC Forms 472/ 474 will help expedite the review of those requests and the corresponding disbursement of funds. Moreover, although the Pilot Program is not an emergency program, it is being conducted on an expedited basis, thus necessitating swift and efficient final invoicing decisions. While the Commission will not require Pilot participants and service providers to submit other supporting documentation at the time they submit their Pilot request(s) for reimbursement, pursuant to its certifications and document retention requirements, all participants must certify receipt/delivery of eligible services and equipment and that only eligible services and equipment were invoiced, as well as retain and provide upon request by USAC, the Commission E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations (including Commission staff) and its Office of Inspector General (OIG), or any other authorized Federal, state, or local agency with jurisdiction over the entity, all records related to their Pilot FCC Forms 470, 471, and 472/474 (including, for example, competitive bidding documentation and contracts) for at least 10 years from the last date of service or delivery of equipment. 79. Consistent with the terms of the Memorandum of Understanding (MOU) between the Commission and USAC, and pursuant to the rules adopted, the Commission designates USAC as the Administrator of the Pilot Program. The Commission will use USAC’s services to review, process, and approve the Pilot FCC Forms 470, 471, 472, 474, 484, and 488, as well as recommend funding commitments, issue FCDLs, review requests for reimbursement and invoices, and payment of funds, as well as other administration-related duties. The one commenter that directly addressed the issue supported using USAC and its processes for the efficient and effective administration of the Pilot Program, and the Commission agrees that USAC’s experience administering the E-Rate and Connected Care Pilot programs, along with the other Federal universal service programs makes it uniquely situated to be the Administrator of the Pilot Program. In designating USAC as the Administrator of the Pilot Program the Commission notes that USAC may not make policy, interpret unclear statutes or rules relied upon to implement and administer the Pilot Program, or interpret the intent of Congress. In its administration of the Pilot Program, the Commission also directs USAC to comply with, on an ongoing basis, all applicable laws and Federal Government guidance on privacy and information security standards and requirements such as the Privacy Act, relevant provisions of the Federal Information Security Modernization Act of 2014, NIST publications, and Office of Management and Budget (OMB) guidance. 80. The Commission notifies Pilot participants, including their selected service providers that, similar to the ERate program and other USF programs, they shall be subject to audits and other investigations to evaluate their compliance with the statutory and regulatory requirements for the Pilot. USF Program audits have been successful in helping program applicants and participants improve compliance with the Commission’s rules and in protecting the funds from waste, fraud, and abuse. The Commission directs USAC to perform such audits pursuant to the VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 Commission’s and USAC’s respective roles and responsibilities as set forth in the MOU and § 54.2011 of the Commission’s rules. The Commission is also mindful of the privacy concerns raised regarding providing personally identifiable information (PII) to Commission or USAC staff about individual students, school staff, or library patrons that may be collected as part of the cybersecurity measures implemented through the Pilot. While it does not anticipate that Pilot participants will need to share the PII of students, school staff, or library patrons in connection with their Pilot FCC forms, audits (or related compliance tools), or reporting, it notes that the Commission, USAC, and any contractors or vendors will be required to abide by all applicable Federal and state privacy laws. The Commission also directs the Commission, USAC, and contractor/vendor staff to take into account the importance of protecting the privacy of students, school staff, and library patrons, to design requests for information from schools and libraries that minimize the need to produce information that might reveal PII, and to work with auditors to accept anonymized or deidentified information in response to requests for information wherever possible. If anonymized or deidentified information regarding the students, school staff, and library patrons is not sufficient for auditors’ or investigative purposes, the auditors or investigators may request that the school or library obtain the consent of the parents or guardians, for students, and the consent of the school staff member or library patron to have access to PII or explore other legal options for obtaining PII. The Commission additionally delegates to the Bureau and OMD, in consultation with OGC (and specifically the Senior Agency Official for Privacy) the authority to establish requirements for the Bureau’s, USAC’s, or any contractor’s/vendor’s collection, use, processing, maintenance, storage, protection, disclosure, and disposal of PII in connection with any Pilot FCC forms, audit (or other compliance tool), or reporting. 81. The Commission takes seriously its obligation to be a careful steward of the USF and to protect the integrity of the Pilot Program. The commission is committed to ensuring the integrity of the Pilot and will pursue instances of waste, fraud, or abuse under its own procedures and in cooperation with the Commission’s OIG and other law enforcement agencies. The specific procedures the Commission adopts regarding document retention PO 00000 Frm 00019 Fmt 4701 Sfmt 4700 61299 requirements, the prohibition on gifts, certifications, audits, suspension and debarment, and the treatment of eligible services and equipment are modeled after its E-Rate processes and are tools at its disposal to protect the Pilot and ensure the limited program funding is used for its intended purposes to support Pilot Program goals and enable the purchase of Pilot-eligible services and equipment. 82. In the Cybersecurity NPRM, the Commission sought comment on whether ‘‘document retention requirements’’ for the Pilot, including those based on modifying rules from the Commission’s E-Rate program, would help ‘‘protect the program integrity of the Pilot.’’ The Commission adopts this proposal. Specifically the Commission includes a new § 54.2010(a) of the Commission’s rules, modeled after a corresponding E-Rate rule, that requires Pilot participants to ‘‘retain all documents related to their participation in the [Pilot] program sufficient to demonstrate compliance with all program rules for at least 10 years from the last date of service or delivery of equipment’’ and ‘‘maintain asset and inventory records of services and equipment purchased sufficient to verify the actual location of such services and equipment for a period of 10 years after purchase.’’ The Commission also includes a new § 54.2010(b) of the Commission’s rules, also modeled after a corresponding ERate rule, that requires Pilot participants and service providers to ‘‘produce such records upon request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission, its OIG, or any local, state, or federal agency with jurisdiction over the entity.’’ This rule requires that Pilot participants must retain documents regarding participation in the Pilot, including asset and inventory records, accumulated during the Pilot, for a period of 10 years. 83. While commenters generally did not opine on these issues, the Commission finds that this new rule, § 54.2010(a), will ensure that participants have sufficient records on hand related to all aspects of their participation in the Pilot to permit entities with jurisdiction over the participant, including USAC and the Commission, to make efficient and reliable determinations of compliance, e.g., as part of any post-audit review or investigation that bears on potential waste, fraud and abuse in the Pilot Program. The Commission finds that this new rule, § 54.2010(b), will effectively establish (or confirm) that a E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61300 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations Pilot participant must provide documents to external parties with valid jurisdiction when a request is made for the retained documents. The Commission finds its actions are warranted as the Commission, as a careful steward of the USF’s limited funds, has a strong interest in ensuring that sufficient documentation is available and can be accessed to permit external parties with jurisdiction to make reliable and efficient determinations of potential waste, fraud and abuse in the Pilot. The Commission also finds that the new rules will meaningfully inform potential Commission short-term action, e.g., through enforcement or other remediation steps if the integrity of the Pilot Program is threatened, and longterm action, that could potentially result in future revision of Commission or USAC processes to better protect the USF and the USF programs. Moreover, the Commission finds these rules, including the associated ‘‘10 year’’ retention and production requirements, are likely to be effective in protecting the integrity of the Pilot because they are modeled after existing § 54.516 of the Commission’s rules with only clarifying amendments reflective of the structure of the Pilot. The Commission has found the E-Rate rules to be effective over the course of its many years of experience overseeing USAC’s administration of the E-Rate program. As the Commission has previously noted, these rules, including the 10-year document retention and production requirement, appropriately balance the need to have pertinent documentation available for review with corresponding administrative burdens and storage costs borne by E-Rate applicants and service providers. The Commission expects similar benefits to accrue in relation to the Pilot. 84. In balancing the longstanding goal of fair and open procurement with the disbursement of USF support for eligible equipment and services, the Commission adopts gift restrictions for the Pilot. Consistent with the E-Rate program, the Commission prohibits eligible schools and libraries receiving Pilot Program support, including their employees, officers, representatives, agents, independent contractors, consultants, and individuals who are on the governing boards, from soliciting or accepting any gift or other thing of value from a service provider participating in or seeking to participate in the Pilot. Similar to the E-Rate program, participating service providers, including their employees, officers, representatives, agents, independent VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 contractors, consultants, and individuals who are on governing boards, are likewise prohibited from offering or providing any gift or other thing of value to eligible entities, including their employees, officers, representatives, agents, independent contractors, consultants, and individuals who are on the governing boards. 85. As an additional measure to protect the integrity of the Pilot, the Commission also requires participants to provide several certifications as part of the FCC Form 484 application, competitive bidding, requests for services, and invoicing processes. Similarly, the Commission requires their selected service providers to provide certifications related to Pilot invoicing processes. The Commission finds, and no commenter disagrees, that the use of certifications are a key compliance mechanism to protect the limited Pilot funds. All certifications must be made subject to the provisions against false statements contained in the Act and Title 18 of the United States Code. 86. Duplicate Funding Certification. The Commission confirms that it will not provide support for eligible services and equipment, or the portion of eligible services and equipment, that have already been reimbursed with other Federal, state, Tribal, or local funding, or are eligible for discounts from E-Rate or another universal service program. No commenters opposed adopting this limitation to stretch the Pilot’s limited funds. To implement this prohibition on requesting or receiving duplicative funding, the Commission will require Pilot participants and service providers to certify on the FCC Forms 472 or 474 that they are not seeking support or reimbursement for Pilot-eligible services and equipment that have been purchased and reimbursed with other Federal, state, Tribal, or local funding, or are eligible for discounts from E-Rate or another universal service program. The Commission takes this action to ensure that the limited Pilot support will be used for its intended purposes and clarify that if the Pilot-eligible services and equipment are fully reimbursed through other sources, participants and service providers should not be seeking funding for them through the Pilot Program. 87. Additional Certification Requirements. The Commission also requires Pilot participants, when submitting their Pilot FCC Form 470 competitive bidding forms, and Pilot participants and service providers when submitting their FCC Forms 472 and 474 requests for reimbursement (i.e., PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 invoicing forms), respectively, to provide several additional certifications. For example, Pilot participants and service providers must certify that they are seeking funding for only Piloteligible services and equipment. Pilot participants and service providers should be aware that the certification descriptions referenced in this section are not exhaustive and it is incumbent on them to familiarize themselves with the certifications required by each of the Pilot forms and rules that are applicable to them. 88. Support provided for cybersecurity services and equipment funded through the Pilot will be subject to audits and reviews consistent with the procedures currently used for the USF programs (e.g., Beneficiary and Contributor Audit Program audits and Payment Integrity Assurance (PIA) reviews), and could be subject to recovery measures should the Commission and/or USAC find a violation of its rules and deem it appropriate. Specifically, applicants, participants, and service providers may be subject to audits and other investigations by USAC and/or Bureaus and Offices of the Commission to evaluate compliance with the rules it adopted. The Commission considers audits and other review mechanisms in the Pilot program to be important tools in ensuring compliance with its rules and identifying instances of waste, fraud, and abuse. Considering the action it took to create the Pilot Program using universal service funding, the Commission expects that these tools will continue to be paramount to its ability to ensure that these finite funds are used appropriately and consistent with its rules. 89. Consistent with its proposals in the Cybersecurity NPRM, the Commission will apply its existing USF suspension and debarment rules to the Pilot. In addition, to the extent that the Commission adopts updated and final suspension and debarment rules in a separate and pending proceeding, it will apply the updated rules to the Pilot Program.’’ 90. While commenters did not opine on these issues, the Commission finds it beneficial to apply its USF suspension and debarment rules, which are applicable to existing USF programs and codified at § 54.8 of its rules, to the Pilot as well. The Commission’s decision to make these rules binding on persons, including individuals and entities, involved in the Pilot provides these groups with notice as to the types of behavior that could result in their suspension and debarment (and the suspension and debarment of others), E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations the processes by which suspension and debarment would be determined, and some of the consequences of such action. The Commission also finds that this action will permit Pilot participants to make better-informed decisions as to the consultants and other persons that they choose to employ or otherwise retain (e.g., based on factors that are identified in its suspension and debarment rules) for work on the Pilot Program, which will protect participants, and the USF, from waste, fraud, and abuse. As the Pilot incorporates administrative processes, forms, and rules from E-Rate and other USF programs, the Commission finds it reasonable to apply its existing USF suspension and debarment rules to the Pilot as well. The Commission finds that doing so ensures that participants are able to engage a variety of persons with expertise and skills relevant to the USF generally, and Pilot specifically, while also preventing potential bad actors from undermining the Pilot’s goals. Ultimately, the Commission finds that its actions will support its mission to maintain the Pilot’s integrity and protect it from waste, fraud, and abuse. 91. Similarly, the Commission finds it appropriate to apply any new Commission USF suspension and debarment rules that may be finalized during the course of the Pilot to the Pilot as well. The Pilot incorporates administrative processes, forms, and rules from E-Rate and other USF programs. The Commission therefore finds it reasonable to apply any new suspension and debarment rules developed for those programs to the Pilot as well. 92. The Commission adopts three performance goals to enable it to evaluate the Pilot Program. The Commission expects that, to the extent that the Pilot Program meets these goals, the results of the Pilot will help us assess the costs and benefits of utilizing universal service funds to support schools’ and libraries’ cybersecurity needs, as well as how other Federal resources could best be leveraged to ensure that these needs are addressed in the most efficient and effective manner. The Commission also adopts a periodic reporting requirement designed to allow the Commission evaluate the goals and success of the Pilot Program while, to the extent possible, taking steps to minimize the burden on Pilot participants. 93. In the Cybersecurity NPRM, the Commission proposed three performance goals for the Pilot Program. Specifically, the Commission proposed the goals of: (i) improving the security and protection of E-Rate-funded VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 broadband networks and the data on those networks; (ii) measuring the costs associated with cybersecurity services and equipment, and the amount of funding needed to adequately meet the demand for these services if extended to the E-Rate program; and (iii) evaluating how to leverage other Federal K–12 cybersecurity tools and resources to help schools and libraries effectively address their cybersecurity needs. Additionally, the Commission proposed and sought comment on how it can best measure progress towards these goals, to ensure that the limited Pilot funds are used most impactfully and effectively. The Commission also sought comment on how to evaluate the Pilot, including whether participants should submit periodic reports and other assessments and evaluations. 94. Based on the record, the Commission adopts its three proposed performance goals for the Pilot. The Commission notes that commenters broadly supported the three proposed goals, considering them appropriate to allow the Commission to assess the effectiveness and cost of the cybersecurity services and equipment used in the Pilot. 95. First Performance Goal: Improving the Security and Protection of E-RateFunded Broadband Networks and Data. First, the Commission adopts a goal for the Pilot Program of improving the security and protection of E-Rate-funded broadband networks and data. Funding made available by the Pilot will help participants acquire cybersecurity services and equipment to improve the security of their broadband networks and data. Commenters generally supported this goal. Cisco, for example, deemed the goal consistent with the Commission’s ‘‘statutory responsibilities to adapt the universal service rules to account for advances in telecommunications and information technology.’’ Making funding available for cybersecurity services and equipment will help Pilot participants protect and secure their E-Rate-funded broadband networks and data to mitigate increasing cybersecurity threats. In adopting this goal, the Commission emphasizes that it is not only seeking to improve the security and protection of E-Rate-funded Pilot participants, but also to gather information to aid the exploration of improving the security and protection of E-Rate-funded networks going forward. To that end, and as discussed herein, the Commission is not limiting Pilot participation to existing E-Rate participants but will allow all eligible schools, libraries, and consortia to apply for the Pilot. By taking a holistic PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 61301 approach that incorporates all types of eligible schools and libraries, the Commission seeks to gather data that will help it evaluate how best to safeguard E-Rate-funded networks now and in the future. 96. Second Performance Goal: Measuring the costs associated with cybersecurity services and equipment, and the amount of funding needed to adequately meet the demand for these services if extended to all E-Rate participants. Next, the Commission adopts a goal of measuring the costs and effectiveness of cybersecurity services and equipment. By making a wide range of cybersecurity services and equipment eligible for USF support, the Pilot will enable the Commission to gather data on the associated cost and effectiveness of various cybersecurity solutions. As ALA, in particular, has observed, there are concerns about the cost to the USF of adding any new E-Rate eligible services and equipment, including cybersecurity services and equipment. By measuring these costs as part of the Pilot, the Commission will be wellpositioned to evaluate the potential challenges to funding these types of services and equipment over the long term. In addition, to measure effectiveness, CIS recommended that the Commission require participants ‘‘to assess themselves before the Pilot and annually against a recognized cybersecurity framework and provide their scores as a measurement of success against their individual baseline.’’ With such recommendations in mind, the Commission adopts a goal of measuring the costs and effectiveness of cybersecurity services and equipment, gathering data for the Commission to determine whether it is economically feasible to support advanced firewall and other cybersecurity services and equipment with universal service funding. In adopting this goal, the Commission disagrees with commenters who suggest that, in collecting data to evaluate the Pilot, its goals should be focused on determining ‘‘how to best modernize the E-rate Category 2 to include cybersecurity permanently’’ or adopting concurrent changes to its category two rules to permit funding for advanced firewalls and MFA. Although the Commission hopes to learn more about whether and how to best fund cybersecurity services and equipment at the conclusion of the Pilot, it does not prejudge the appropriate mechanism or services and equipment to fund and, instead, look holistically at how universal service funds could be used to meet the K–12 schools’ and libraries’ E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61302 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations demand for cybersecurity services and equipment. 97. Third Performance Goal: Evaluating how to leverage other Federal K–12 cybersecurity tools and resources to help schools and libraries effectively address their cybersecurity needs. Third, the Commission adopts a goal of evaluating how to best leverage other available and low-cost and free Federal resources to better equip K–12 schools and libraries to proactively address their cybersecurity risks, though it does not go so far as to require the use of specific Federal Government tools and resources as initially discussed in the Cybersecurity NPRM. Commenters generally agreed with this goal. The Friday Institute for Education Innovation (Friday Institute), for example, stated that its Federal partners ‘‘provide a wealth of best practices and knowledge,’’ and ‘‘[r]elying on their expertise is a prudent approach to shaping the E-rate program’s cybersecurity component.’’ CTIA emphasized the importance of collaborating with other agencies to pursue and implement shared cybersecurity objectives. Commenters emphasize that collaboration with other Federal partners is ‘‘vital,’’ with the Cybersecurity Coalition and Information Technology Industry Council (Cybersecurity Coalition/ITI) noting that they are ‘‘pleased’’ that the Pilot is focused on ‘‘how to balance [the] ‘complementary work of federal agency partners.’ ’’ The Commission agrees with commenters on the importance of leveraging the expertise of its Federal, state, and local partners, and adopting this goal for the Pilot Program signals its intent to continue to work collaboratively on shared objectives to streamline its efforts to address schools’ and libraries’ cybersecurity challenges. To this end, the Commission agrees with commenters that, where possible, it should align its Pilot with the cybersecurity goals of its Federal partners. 98. Data reporting requirements for participants. To measure the Pilot’s success in meeting the aforementioned goals, the Commission adopts initial, annual, and final reporting requirements for participants. In the Cybersecurity NPRM, the Commission proposed that Pilot participants submit certain information to apply for the Pilot, a progress report for each year of the Pilot, and a final report at the conclusion of the Pilot. The Commission also proposed that these reports contain information on how Pilot funding was used, any changes or advancements that were made to the school’s or library’s cybersecurity efforts outside of the Pilot- VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 funded services and equipment, the number of cyber incidents that occurred each year of the Pilot Program, and the impact of each cyber incident on the school’s or library’s broadband network and data. The Commission sought comment on these proposals, as well as the best ways for it to evaluate the Pilot and measure progress towards the proposed performance goals. 99. Commenters generally agreed with its proposal to establish data reporting requirements. Crown Castle Fiber LLC (Crown Castle) noted the value of data reporting requirements, stating that they provide ‘‘valuable insight into the types of new services and equipment that applicants purchase to address their network and data security concerns and the impact of implementing various cybersecurity solutions.’’ FFL emphasized that the effectiveness of the Pilot Program should be measured by progress made toward the implementation of solutions and tactics known to increase resiliency to attacks, not by the presence or characteristics of cyberattacks or applicant responses during an applicant’s participation in the Pilot. CTIA suggested that the reporting requirements use standardized metrics to obtain a common baseline of data across participants to aid in program evaluation. 100. Some commenters provided detailed recommendations about the reporting metrics the Commission should use to gather and report Pilot data. CrowdStrike, for example, stated that one promising evaluation metric is mean time to detection and response, and suggested that the Commission designate a ‘‘control group’’ of similar organizations to assess Pilot success. Rubrik proposed a variety of metrics to measure Pilot effectiveness, such as the ability to quickly recover from a cyber event; identify sensitive data on the network where it resides and determine who has access to it; and test cyber recovery functionality to properly plan for a cyber event. The City of New York Office of Technology and Innovation (City of NY OTI) suggested specific metrics that could include ‘‘Mean Time to Detect’’; ‘‘Mean Time to Response’’; ‘‘False Positive Rate’’; ‘‘True Positive Rate’’; and ‘‘Investigation Rate to Incident Containment Rate.’’ 101. Based on the record, the Commission adopts the requirement for initial, annual, and final reporting so that Pilot participants evaluate and report on their cybersecurity readiness before they begin participation in, during, and after the Pilot Program and it directs the Bureau to add a certification as part of the data collection requirements that will require PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 participants to certify to the accuracy of the information reported and define mechanisms for enforcement. Specifically, after providing an initial baseline assessment using information that includes the reporting requirements for the second part of the application process, Pilot participants will be required to submit annual reports, followed by a final report at the completion of the program. In establishing these periodic reporting requirements, the Commission seeks to balance its need for gathering the data necessary to evaluate the goals and success of the Pilot with commenters’ recommendations that it minimize the burden on Pilot participants to the extent possible. The Commission finds that tracking and evaluating participants’ cybersecurity progress over the course of the Pilot will be essential in helping us determine whether and how to fund schools’ and libraries’ cybersecurity needs through the E-Rate program or another universal service program on an ongoing basis. Information contained in initial, annual, and final reports will be presumptively confidential; however, the Commission does plan to use school or library data as a tool to evaluate the Pilot and determine next steps. Additionally, at its discretion, the Commission may create for public release a version of this information that is aggregated, anonymized, or otherwise not subject to protection from disclosure under the Freedom of Information Act. The Commission requires Pilot participants to submit each annual report no later than 60 days following the conclusion of each year (i.e., year one and year two) of the Pilot Program, and to submit their final report no later than 60 days following the conclusion of the last year (i.e., year three) of the Pilot Program. To accomplish the goal of periodic reporting by Pilot participants, the Commission delegates to the Bureau the authority to use school and library data to evaluate the Pilot, as well as the authority to create and release a public version of this information. The Commission also directs the Bureau to release a Public Notice (or multiple Public Notices, as needed) detailing the specific information to be provided by Pilot participants, additional detail regarding the timing for the submission of these reports, and to consider developing a standardized reporting form and publicizing its availability. In developing the required reporting metrics, the Commission directs the Bureau to consult with OEA and relevant Federal partners to identify those metrics that will best serve the E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations needs of the Pilot and allow the Commission to evaluate whether and to what extent the Pilot succeeded in meeting the three performance goals. The Bureau should, to the extent practicable, and subject to approval from OMB, make the data reporting requirements available to Pilot participants prior to the availability of the Pilot FCC Form 470 to enable participants to consider whether there is any required information that they may need to obtain from their vendor(s) during the competitive bidding process. 102. Finally, in making these data reporting recommendations, a few commenters expressed concerns about protecting both the sensitive nature of the data and insulating Pilot applicants and participants from malicious cybersecurity actors who would use the data for nefarious purposes. The Commission is sensitive to and agree with these concerns and have measures in place to protect the school- and library-specific cybersecurity data it requests as part of the Pilot Program. Specifically, the Commission finds that the information provided by Pilot participants in the initial, annual, and final reports required by the Pilot constitutes sensitive business information and the reports may also contain trade secrets. The Commission therefore will treat this information as presumptively confidential under its rules and withhold it from public inspection. In addition, the Commission has elected to bifurcate the application process, seeking a more general level of cybersecurity information from applicants and leaving the more detailed cybersecurity reporting for Pilot participants. Taken together, the Commission expects that these measures will alleviate commenters’ concerns about protecting Pilot applicants’ and participants’ sensitive information regarding cybersecurity threats and readiness. 103. Pilot Program reports. The Commission directs the Bureau, in consultation with OEA, to review the reports submitted by Pilot participants and publish one interim report during the three-year Pilot and a final report after the Pilot has concluded. The interim report will, at a minimum, provide a summary of funding commitments and disbursements to-date and provide an update on progress toward the Pilot Program’s performance goals. The final report will, at a minimum, provide a summary of funding disbursements, evaluate the Pilot Program’s success in meeting each performance goal, and identify lessons learned. Recognizing the sensitivity of the information provided by Pilot VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 applicants and participants, the Commission directs the Bureau to follow procedures for confidential information, including aggregating the information as necessary. The Commission directs the Bureau to publish the interim report no later than 180 days after Pilot participants submit their second (i.e., year two) annual reports and to publish the final report no later than 180 days after Pilot participants submit their final (i.e., year three) reports. 104. The Commission provides a path for recourse to parties aggrieved by decisions issued by USAC as a result of, or during, the Pilot. Specifically, the Commission adopts appeal and waiver request rules consistent with those that govern USAC’s administration of the USF programs, including the E-Rate program. The Commission finds these existing processes sufficient to provide a meaningful review of decisions issued by USAC and the Commission regarding the Pilot. However, the Commission makes one modification for the Pilot Program appeal and waiver rules and provide a 30-day timeframe to request the review of an action by USAC, or to request the review of a decision by USAC or a waiver of the Commission’s rules. Despite assertions from some commenters that modifying the rules in this manner would limit Pilot participant flexibility and is unnecessary in this context, the Commission thinks this change will benefit Pilot participants (and the program generally) by providing faster timeframes for appeal and waiver decisions and final Pilot funding decisions. Additionally, the Commission finds that a 30-day timeframe is appropriate given the limited three-year duration of the Pilot Program. 105. The Commission concludes that the Commission has legal authority to establish a Pilot Program that provides USF support for cybersecurity services and equipment to eligible schools and libraries. As a preliminary matter, in the Cybersecurity NPRM, it tentatively concluded that the Commission has sufficient legal authority for funding cybersecurity services and equipment for schools and libraries pursuant to sections 254(c)(1), (c)(3), (h)(1)(B), and (h)(2) of the Act. The Commission noted that the Pilot is consistent with Congress’s view that the USF represents an evolving level of service, informing potential future actions that the Commission would take to further its obligation to ‘‘establish periodically’’ universal service rules that ‘‘tak[e] into account advances in telecommunications and information PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 61303 technologies and services.’’ Additionally, the Commission noted that the existing record supported the view that the Pilot is ‘‘technically feasible and economically reasonable’’ as required by section 254(h)(2)(A) of the Act. The Commission also noted that the proposed Pilot appeared consistent with section 254(c)(3) of the Act, which grants the Commission authority to ‘‘designate additional services for [USF] support . . . for schools [and] libraries,’’ as the Pilot would allow for the designation of additional services that may be used by participating schools and libraries based on USF funding. In the Cybersecurity NPRM, the Commission sought additional comment on such views and on the other sources of legal authority, such as the extent to which the Pilot fulfills the Commission’s mandate to make ‘‘[q]uality services’’ available at just, reasonable, and affordable rates, and the limits and restrictions that it should place on recipients of Pilot funds to remain within the statutory authority. 106. Commenters generally supported its conclusion that sufficient legal authority exists for the creation of this Pilot Program. In particular, commenters agreed that universal service is an ‘‘evolving level of telecommunications services,’’ and noted that the Pilot-supported services and equipment ‘‘reflect ongoing advances in schools and libraries broadband networks and services.’’ Furthermore, Cisco stated that enhanced cybersecurity services and equipment strengthens and ensures access to and usability of broadband networks, supporting the Act’s mandate that the Commission enhance access to advanced telecommunications and information services for schools and libraries. Cisco also noted that the scale and number of cybersecurity threats and attacks increased during the pandemic, as schools shifted to heavier reliance on technology services, and ‘‘such changed circumstances support consideration of a change in the Commission’s policy with respect to the funding of cybersecurity measures for schools and libraries,’’ in furtherance of Congress’s mandate ‘‘to take into account evolving technologies and to designate additional services to support enhanced connectivity for schools and libraries.’’ 107. It agrees with these assessments, and affirm its conclusion in the Cybersecurity NPRM that the Commission has sufficient legal authority to use universal service funds to support cybersecurity services and equipment for eligible schools and libraries, for several reasons. First, the Commission agrees that providing E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61304 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations support for cybersecurity services and equipment fulfills its mandate under section 254(c)(1) of the Act to periodically refine universal service to take into account advances in technology and services. As CoSN points out, the Pilot Program will provide support for new services and equipment that reflect advances in school networking technology. By studying how best universal service funds can be used to support E-Ratefunded networks and data, the Pilot enables us to refine universal service in today’s modern educational environment, pursuant to section 254(c)(1) of the Act. 108. Second, the Commission finds that Pilot funds will be used for ‘‘educational purposes,’’ pursuant to section 254(h)(1)(B) of the Act. E-Rate rules require schools and libraries to use eligible services ‘‘primarily for educational purposes,’’ defined for schools as ‘‘activities that are integral, immediate, and proximate to the education of students,’’ and for libraries as ‘‘activities that are integral, immediate, and proximate to the provision of library services to library patrons.’’ Pilot funds will help ensure that school and library connections are reliable and not disrupted by cyberattacks, and will further protect the sensitive data often stored on those networks. As such, use of Pilot funds serves an educational purpose, by promoting the education of students, or the provision of library services to library patrons, free from disruption, cyberattack, or theft of sensitive data, pursuant to its mandate under section 254(h)(1)(B) of the Act. 109. Furthermore, the Commission concludes that the use of universal service support for advanced firewalls and other cybersecurity services and equipment for educational purposes fits within the Commission’s authority and direction under section 254(h)(1)(B) of the Act to designate ‘‘services that are within the definition of universal service under subsection (c)(3),’’ which authorizes the Commission to designate non-telecommunications services for support. In the First Universal Service Order, 62 FR 32862, June 17, 1997, the Commission found that sections 254(h)(1)(B) through 254(c)(3) of the Communications Act authorizes universal service support for telecommunications services and additional services such as information services. The Commission therefore finds that, to the extent any of the advanced firewall or cybersecurity services are not telecommunications services, those services nevertheless can be purchased with universal service VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 support pursuant to section 254(h)(1)(B) of the Act. In addition, sections 254(h)(1)(B) through 254(c)(3) of the Act provides authority to support the advanced firewall and cybersecurity equipment that the Pilot will fund to protect E-Rate-funded networks and data. In the First Universal Service Order, the Commission concluded that ‘‘we can include ‘the information services,’ e.g., protocol conversion and information storage, that are needed to access the internet, as well as internal connections, as ‘additional services’ that section 254(h)(1)(B), through section 254(c)(3), authorizes us to support.’’ The Commission further distinguished between ineligible types of peripheral equipment (e.g., laptops) and eligible equipment that is necessary to make the services functional. Therefore, the Commission also finds that because advanced firewall and cybersecurity equipment are critical to support the services that will protect E-Rate-funded networks and data, they fall into the latter category and it therefore concludes that the Commission has authority under sections 254(h)(1)(B) through 254(c)(3) of the Act to support the purchase of advanced firewall and cybersecurity equipment for educational purposes. 110. Additionally, the Commission has concluded that, pursuant to sections 4(i) and 254(c)(1), (c)(3), (h)(1)(B), and (h)(2) of the Act, E-Rate-supported services can be provided by both telecommunications carriers and nontelecommunications carriers. In reaching this conclusion, the Commission determined that section 254(h)(1)(B)’s requirement that discounts for services be provided to ‘‘telecommunications carriers’’ does not ‘‘stand as a bar to its authority to allow non-telecommunications providers to provide such services and participate in the E-rate program’’ under sections 254(h)(2)(A) and 4(i) because limiting the eligibility of such services to only those provided by telecommunications carriers would ‘‘unduly limit the flexibility of schools and libraries to select the most cost-effective broadband solutions to meet their needs, which would be inconsistent with its schools and libraries policies.’’ Moreover, permitting the provision of such services by both telecommunications and non-telecommunications carriers ‘‘enhances access to advanced telecommunications and information services for public and non-profit elementary and secondary school classrooms and libraries.’’ Consistent with this authority, the Commission likewise allow Pilot participants to PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 purchase eligible services and equipment from both telecommunications and nontelecommunications providers because it will provide Pilot participants with greater access and flexibility to select the best option at lower costs. 111. Third, and separately, the Commission affirms its authority under section 254(h)(2)(A) of the Act, as the Pilot will enhance access to advanced telecommunications and information services for elementary and secondary school classrooms and libraries. The use of Pilot-supported services to protect school and library broadband networks further enhances school classroom and library access to other advanced telecommunications and information services. Specifically, the Commission agree with CoSN that ‘‘cyberattacks throttle or completely thwart the ability of schools and libraries to use the ‘advanced telecommunications and information services’ promised by the Act.’’ Supporting cybersecurity services through the Pilot will enable and encourage participants to make full use of their connectivity services, with the reassurance that their broadband networks and services, and the information contained in them is protected. The Commission finds this to be true even for use of school-owned devices used for educational purposes outside of the school, for example, in a student’s home. Section 254(h)(2)(A)’s reference to ‘‘classrooms’’ is not prohibitive to the use of E-Rate support for off-premises use. The statute directs the Commission to establish rules to enhance access ‘‘for all public and nonprofit elementary and secondary school classrooms . . . and libraries.’’ Notably, the text does not say to enhance access to services ‘‘at’’ or ‘‘in’’ school classrooms (or libraries), as would more naturally indicate a tie to a physical location. As such, the statute permits funding of services that enhance access for school classrooms and libraries, even if such services are used off-premises. Accordingly, the Pilot can support the purchase of advanced firewall and cybersecurity services and equipment for use on school-owned devices for educational purposes, even if those devices may be used offpremises. 112. Lastly, the Commission finds that the Pilot Program is economically reasonable, and a prudent use of the limited universal service funds. The Commission has previously found expanding the types of cybersecurity services and equipment beyond basic firewall services to be cost-prohibitive to the E-Rate program. Since then, however, the COVID–19 pandemic E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations changed how K–12 schools and libraries use their broadband networks for educational purposes, and K–12 schools and libraries increasingly find themselves prime targets for cybersecurity threats and attacks by malicious actors who seek to exploit the schools’ and libraries’ networks and data. In light of such developments, as well as an increased cap for E-Rate funding, exploring expanding funding for cybersecurity services and equipment beyond basic firewalls is now prudent to determine whether there is more the Commission can do to protect schools’ and libraries’ E-Ratefunded broadband networks. Furthermore, by conducting a limited Pilot, the Commission can best determine whether it can support these essential services without jeopardizing the ability of the E-Rate program to continue to support the connectivity of school and library broadband networks. Generally, commenters were in favor of increasing funding to support cybersecurity services beyond basic firewalls. For example, CIS recommended that the Commission ‘‘allow funding for any cybersecurity protection that improves or enhances the cybersecurity of an organization.’’ Cisco stated that ‘‘enhanced cybersecurity and advanced firewalls are needed for the delivery of reliable and useable broadband connectivity to students and educators’’ and funding such services is ‘‘consistent with the public interest, convenience, and necessity.’’ As a result, the Commission finds funding cybersecurity services and equipment through the Pilot to be a prudent use of the limited USF support and conclude that the Pilot is economically reasonable pursuant to section 254(h)(2)(A) of the Act. 113. The Commission concludes that the requirements of the Children’s internet Protection Act (CIPA) are triggered by the purchase of eligible services or equipment through the Pilot Program. As it has explained in the ERate and ECF programs, CIPA applies to the use of school- or library-owned computers, including laptop and tablet computers, if the school or library accepts support for services and equipment that are used for internet access, internet services, or internal connections. As discussed in the Cybersecurity NPRM, Congress enacted CIPA to protect children from exposure to harmful material while accessing the internet from a school or library, and CIPA prohibits certain schools and libraries having computers with internet access from receiving funding under section 254(h)(1)(B) of the Act unless VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 they comply with specific internet safety requirements. Its determination that CIPA is applicable to the Pilot Program is consistent with past Commission decisions in the E-Rate program and E-Rate ESLs which have included both basic firewall services provided as a standard component of a vendor’s internet access service as category one internet access services, and standalone basic firewall services and components as category two internal connections services. Because the cybersecurity services and equipment it makes eligible under the Pilot Program serve functions equivalent to that of the basic firewall services currently supported by the E-Rate program, the Commission treats them similarly, either as standalone internal connections or as components of internet access. The Commission therefore concludes that the provision of Pilot support is also governed by sections 254(h)(5)(A)(i) and 254(h)(6)(A)(i) of the Act, and compliance with the CIPA internet safety requirements is a condition of the receipt of Pilot Program support. As with the E-Rate and ECF programs, the Commission also concludes that CIPA does not apply where schools or libraries have purchased services to be used only in conjunction with student-, school staff-, or library patron-owned computers. Also, consistent with the ECF program, the Commission finds that a Pilot participant need not complete additional CIPA compliance certifications if it has already certified its CIPA compliance for E-Rate support for the funding year preceding the start of the Pilot (i.e., it has certified its compliance in an E-Rate FCC Form 486 or FCC Form 479). If a Pilot participant has not previously certified its CIPA compliance in the E-Rate program, it will need to do so to qualify for Pilot Program support or certify that it is taking actions to come into compliance with the CIPA requirements. 114. In order to ease program administration, the Commission delegates to the Bureau, consistent with the goals of the Pilot Program, the authority to waive certain program deadlines, clarify any inconsistencies or ambiguities in the Pilot Program rules, adjust Pilot project funding commitments, or to perform other administrative tasks as may be necessary for the smooth implementation, administration, and operation of the Pilot Program. The Commission also delegates to the Bureau the authority to grant limited extensions of deadlines to Pilot projects, PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 61305 and other authority as may be necessary to ensure a successful Pilot Program. 115. In addition, the Commission delegates financial, information security, and privacy oversight of the Pilot Program to OMD and OGC, and direct OMD and OGC to work in coordination with the Bureau to ensure that all financial, information security, and privacy aspects of the Pilot have adequate internal controls. These duties fall with OMD’s current delegated authority to ensure that the Commission operates in accordance with Federal financial statutes and guidance. OMD performs this role with respect to USAC’s administration of the Commission’s universal service programs and it anticipates that OMD will leverage existing policies and procedures, to the extent practicable and consistent with the Pilot, to ensure the efficient and effective management of the program. Finally, it notes OMD is required to consult with the Bureau on any policy matters affecting the Pilot Program, consistent with § 0.91(a) of the Commission’s rules. 116. The Commission directs the Bureau to conduct outreach to educate eligible schools and libraries about the Pilot Program, and to coordinate, as necessary, with other Federal agencies, and state, local, and Tribal governments. As supported by the record in this proceeding, the Commission also directs USAC to develop and implement a communications strategy, under the oversight of the Bureau, to provide training and information necessary for schools and libraries to successfully participate in the Pilot Program. Outreach, education, and engagement with Pilot Program applicants and, ultimately, selected Pilot participants will be an important tool in ensuring the Pilot Program is successful and meets its goals. 117. The Commission recognizes that once implementation of the Pilot Program begins, the Bureau may encounter unforeseen issues or problems with the administration of the program that may need to be resolved. To promote maximum effectiveness and smooth administration of the Pilot Program, the Commission delegates to Bureau staff the authority to address and resolve such unforeseen administrative issues or problems, provided that doing so is consistent with the decisions it reached herein. III. Procedural Matters 118. Paperwork Reduction Act. This document contains new information collection requirements. The Commission, as part of its continuing effort to reduce paperwork burdens, will E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61306 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations invite the general public to comment on the information collection requirements contained in the Order as required by the Paperwork Reduction Act of 1995, Public Law 104–13. In addition, the Commission notes that pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107–198, see 44 U.S.C. 3506(c)(4), the Commission previously sought specific comment on how the Commission might further reduce the information collection burden for small business concerns with fewer than 25 employees. 119. Congressional Review Act. The Commission has determined, and the Administrator of the Office of Information and Regulatory Affairs, OMB, concurs, that this rule is ‘‘nonmajor’’ under the Congressional Review Act, 5 U.S.C. 804(2). The Commission will send a copy of the Order to Congress and the Government Accountability Office pursuant to 5 U.S.C. 801(a)(1)(A). 120. Regulatory Flexibility Act. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was incorporated in the Cybersecurity NPRM, released in November of 2023. The Federal Communications Commission (Commission) sought written public comment on the proposals in the Cybersecurity NPRM, including comment on the IRFA. No comments were filed addressing the IRFA. This Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA. 121. The Nation’s K–12 schools and libraries increasing rely on remote, digital learning technologies to connect students, teachers, and library patrons to information, jobs, and other vital learning opportunities. This shift has increased the extent to which schools and libraries rely on networks to connect with student and patrons. This shift has also made school and library networks prime targets for cybersecurity threats and attacks. When these attacks occur, they have the potential to disrupt school and library operations, resulting in a loss of learning, reductions in available bandwidth, significant monetary losses, and the potential for the leak and theft of personal information and confidential data associated with students, school staff and library patrons. 122. The Nation’s eligible schools, libraries, and consortia (comprised of eligible schools and libraries) may request universal service discounts for services and equipment to support their network connectivity, including telecommunications services, internet access, and internal connections, VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 through the Commission’s E-Rate program. The E-Rate program was created by the Commission in 1997 in response to the Telecommunications Act of 1996. The E-Rate program currently funds basic firewall service provided as part of the vendor’s internet service as a category one service and separately-priced basic firewalls as a category two service. The E-Rate program, however, does not currently fund advanced firewalls or other cybersecurity services and equipment that have increasingly been requested by commenters to protect school and library networks from cyber harms over the years. 123. In the Order, the Commission establishes a three-year Pilot Program (Pilot or Pilot Program) funded at $200 million, within the USF but separate from the E-Rate program, to enable it to assess the costs and benefits of utilizing universal service funds to support schools’ and libraries’ cybersecurity needs and how other Federal resources could be leveraged to ensure that these needs are addressed in the most efficient and effective manner. One objective of the Pilot is to help participants acquire cybersecurity services and equipment, including many of the equipment and services that have specifically been requested by commenters in the record, to improve the security of their broadband networks and data. Another objective of the Pilot is to measure the costs and effectiveness of cybersecurity services and equipment. By making a wide range of cybersecurity services and equipment eligible for USF support, the Pilot will enable the Commission to gather data on the associated cost and effectiveness of various solutions. A further objective of the Pilot is to evaluate how to best leverage other available low-cost and free Federal resources to help schools and libraries proactively address K–12 cybersecurity risks. To ensure that these objectives can be met, the Commission also adopts requirements that Pilot participants provide initial, annual, and final reports so that Pilot participants can be evaluated for their cybersecurity readiness before they begin participation in, during, and after the conclusion of the Pilot Program. By taking these actions, the Commission will be able to better to fulfill its obligation to ensure that schools and libraries have access to advanced telecommunications, as provided for by Congress in the 1996 Act. 124. In addition, the Order finalizes several aspects of the structure and administration of the Pilot based on the proposals made in the Cybersecurity NPRM. For example, the Pilot PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 establishes: (1) that schools and school districts will be eligible to receive up to $13.60 per student, annually, on a prediscounted basis, to purchase eligible cybersecurity services and equipment, with a pre-discount annual funding floor of $15,000 and a pre-discount annual funding maximum of $1.5 million; (2) a pre-discount annual budget of $15,000 per library, with the provision that library systems with more than 11 sites will be eligible for support up to a pre-discount maximum of $175,000 annually; and (3) that consortia participants comprised of eligible schools and libraries are eligible to receive funding based on student count (using the annual pre-discount $13.60 per student multiplier) and the number of library sites (using the $15,000 per library pre-discount annual budget) subject to either the prediscount $175,000 annual budget maximum for library systems or prediscount $1.5 million annual budget maximum for schools depending on the consortium’s constituency. While these budgets, including associated maximums and floors, are specified in terms of annualized dollar amounts, participants’ expenses are capped based on the full three-year duration of the Pilot and not on an annual basis. Thus, Pilot participants may request reimbursement for expenses as they are incurred even if it means that the amount of funding disbursed to a participant in a given year of the program exceeds their annual budget, so long as the total amount disbursed to a participant over the three-year term does not exceed three times that annual budget. The Pilot requires participants to contribute a portion of the costs of the cybersecurity services and equipment they seek to purchase with Pilot Program support, similar to the nondiscount share that E-Rate applicants are required to contribute to the cost of their eligible services and equipment. The Commission also permits all eligible schools and libraries, including those that do not currently participate in the E-Rate program, to apply to participate in the Pilot. 125. The Commission also adopts a P– ESL in the Order, which specifies eligible cybersecurity services and equipment for the Pilot. The P–ESL deems services and/or equipment eligible if they constitute a protection designed to improve or enhance the cybersecurity of a K–12 school, library, or consortia. To provide clarity and specificity to small entity and other participants, the P–ESL also enumerates as eligible, in a non-limiting manner, four categories of technology raised by E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations commenters as effective in combatting cyber threats, namely, (i) advanced/ next-generation firewalls; (ii) endpoint protection; (iii) identity protection and authentication; and (iv) monitoring, detection, and response. For purposes of the Pilot, the Commission defines: (i) an ‘‘advanced’’ or ‘‘next-generation’’ firewall as equipment, services, or a combination of equipment and services, that limits access between networks, excluding basic firewalls that are funded through the Commission’s ERate program; (ii) endpoint protection as equipment, services, or a combination of equipment and services that implements safeguards to protect school- and library-owned end-user devices, including desktops, laptops, and mobile devices, against cybersecurity threats and attacks; (iii) identity protection and authentication as equipment, services, or a combination of equipment and services that implements safeguards to protect a user’s network identity from theft or misuse and/or provide assurance about the network identity of an entity interacting with a system; and (iv) monitoring, detection, and response as equipment, services, or a combination of equipment and services that monitor and/or detect threats to a network and that take responsive action to remediate or otherwise address those threats. Through the list of examples provided in the P–ESL, the Commission confirms that a wide range of services and equipment that it had proposed for inclusion in the Cybersecurity NPRM, or that commenters had otherwise requested, are eligible. In the Order, the Commission describes that eligibility is limited to equipment that is networkbased (i.e., that excludes end-user devices, including, for example, tablets, smartphones, and laptops) and services that are network-based and/or locally installed on end-user devices, where the devices are owned or leased by the school or library, and where equipment and services are designed to identify and/or remediate threats that could otherwise directly impair or disrupt a school’s or library’s network, including to threats from users accessing the network remotely. 126. In the Order, it explains that ineligible costs include, among other things, (i) any equipment, service, or other related cost that is eligible in the Commission’s E-Rate program eligible services list in the corresponding E-Rate funding year for which Pilot reimbursement is sought, (ii) any equipment, service, or other related cost, or portion thereof, for which a participant has already received reimbursement in full or in part, or VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 plans to apply for reimbursement in full or in part, through any other USF or Federal, state, or local program, and (iii) any equipment or services prohibited by the Secure and Trusted Communications Networks Act of 2019, Public Law 116–124, 134 Stat. 158 (2020) (codified as amended at 47 U.S.C. 1601–1609) (Secure Networks Act) or the Commission’s rules, including §§ 54.9 and 54.10 of the Commission’s rules, that implement the Secure Networks Act. 127. The Commission designates USAC to be the Administrator for the Pilot. The Commission requires applicants to submit part one of a FCC Form 484 application describing its proposed Pilot project and providing information to facilitate the evaluation and eventual selection of high-quality projects for inclusion in the Pilot. To facilitate the inclusion of a diverse set of Pilot projects and to target Pilot funds to the populations most in need of cybersecurity support, the Commission anticipates selecting projects from, and providing funding to, a combination of large and small and urban and rural schools, libraries, and consortia, with an emphasis on funding proposed Pilot projects that include low-income and Tribal applicants. Further, the Commission encourages participation in the Pilot by a broad range of service providers and do not discourage new companies from participating, nor does it require service providers to have preexisting service provider identification numbers (SPIN) before submitting cybersecurity bids or previous E-Rate experience before participating in the Pilot. 128. In the Order, the Commission describes that it will direct funding to: (1) the neediest eligible schools, libraries, and consortia who will benefit most from cybersecurity funding (i.e., those at the highest discount rate percentages); (2) as many eligible schools, libraries, and consortia as possible; (3) those schools, libraries, and consortia that include Tribal entities; and (4) a mix of large and small and urban and rural, schools, libraries, and consortia. This will ensure that the Pilot contains a diverse cross-section of applicants with differing cybersecurity postures and experiences. In the event that number of FCC Form 484 applications received exceeds the number of projects that can be funded through the Pilot, the Commission will prioritize selection of Pilot participants by considering their funding needs in combination with the funding needs of the same type(s) of applicants with an eye toward selecting Pilot participants with differing levels of exposure to PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 61307 cybersecurity threats and attacks. In the event that there is insufficient funding to select all of the Pilot participants at a particular discount rate, the Commission will prioritize the selection of Pilot participants within the discount rate using the percentage of students who are eligible for free and reduced lunches within each applicant’s school district. Funding for libraries will be prioritized based on the percentage of free and reduced lunch eligible students in the school district that is used to calculate the library’s discount rate. Funding for individual schools that are not affiliated financially or operationally with a school district, such as private or charter schools that apply individually, will be prioritized based on each school’s individual free and reduced student lunch eligible population. 129. In the Order, the Commission directs the Bureau and the Universal Service Administration Company (USAC or the Administrator) to model the Pilot processes and forms on existing E-Rate and ECF programs’ processes and forms to the extent possible for the Pilot Program. The Commission expects the Bureau and USAC to leverage the following Pilot forms, that will mirror existing E-Rate and ECF forms: (1) FCC Form 470 (Description of Services Requested and Certification Form); (2) FCC Form 471 (Description of Services Ordered and Certification Form); (3) FCC Form 472 (Billed Entity Applicant Reimbursement (BEAR) Form); and (4) FCC Form 474 (Service Provider Invoice (SPI) Form). 130. To protect the integrity of the Pilot, and safeguard universal service funds, the Commission implements a number of program integrity protections. For example, it implements document retention requirements and a prohibition on gifts, and the Commission requires applicants provide certain certifications and be subject to auditing. The Commission has modeled these provisions after its E-Rate processes to protect the Pilot and ensure the limited program funding is used for its intended purposes. The Commission also applies its existing suspension are debarment rules to the Pilot. The Commission also delegates to Bureau the authority to address and resolve a number of matters, including unforeseen administrative issues or problems, provided that doing so is consistent with the decisions it reached in the Order. The Commission expects that this action will allow the Bureau and USAC to reduce any undue burdens on applicants and other individual and entities involved in the Pilot Program, E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61308 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations while ensuring that all program goals are efficient and effectively satisfied. 131. There were no comments filed that specifically address the proposed rules and policies presented in the IRFA. 132. Pursuant to the Small Business Jobs Act of 2010, which amended the RFA, the Commission is required to respond to any comments filed by the Chief Counsel for Advocacy of the Small Business Administration (SBA), and to provide a detailed statement of any change made to the proposed rules as a result of those comments. The Chief Counsel did not file any comments in response to the proposed rules in this proceeding. 133. The RFA directs agencies to provide a description of and, where feasible, an estimate of the number of small entities that may be affected by the rules adopted herein. The RFA generally defines the term ‘‘small entity’’ as having the same meaning as the terms ‘‘small business,’’ ‘‘small organization,’’ and ‘‘small governmental jurisdiction.’’ In addition, the term ‘‘small business’’ has the same meaning as the term ‘‘small business concern’’ under the Small Business Act. A small business concern is one that: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA). 134. Small Businesses, Small Organizations, Small Governmental Jurisdictions. The Commission’s actions, over time, may affect small entities that are not easily categorized at present. The Commission therefore describes, at the outset, three broad groups of small entities that could be directly affected herein. First, while there are industry specific size standards for small businesses that are used in the regulatory flexibility analysis, according to data from the Small Business Administration’s (SBA) Office of Advocacy, in general a small business is an independent business having fewer than 500 employees. These types of small businesses represent 99.9% of all businesses in the United States, which translates to 33.2 million businesses. 135. Next, the type of small entity described as a ‘‘small organization’’ is generally ‘‘any not-for-profit enterprise which is independently owned and operated and is not dominant in its field.’’ The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 or less to delineate its annual electronic filing requirements for small exempt organizations. Nationwide, for tax year 2022, there were approximately 530,109 small exempt organizations in VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 the U.S. reporting revenues of $50,000 or less according to the registration and tax data for exempt organizations available from the IRS. 136. Finally, the small entity described as a ‘‘small governmental jurisdiction’’ is defined generally as ‘‘governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.’’ U.S. Census Bureau data from the 2022 Census of Governments indicate there were 90,837 local governmental jurisdictions consisting of general purpose governments and special purpose governments in the United States. Of this number, there were 36,845 general purpose governments (county, municipal, and town or township) with populations of less than 50,000 and 11,879 special purpose governments (independent school districts) with enrollment populations of less than 50,000. Accordingly, based on the 2022 U.S. Census of Governments data, the Commission estimates that at least 48,724 entities fall into the category of ‘‘small governmental jurisdictions.’’ 137. Small entities potentially affected by the rules herein are Schools, Libraries, Telecommunications Resellers, Local Resellers, Wired Telecommunications Carriers, All Other Telecommunications, Wireless Telecommunications Carriers (except Satellite), Wireless Carriers and Service Providers, Wired Broadband internet Access Service Providers (Wired ISPs), Wireless Broadband internet Access Service Providers (Wireless ISPs or WISPs), internet Service Providers (Non-Broadband), Vendors of Infrastructure Development or Network Buildout, Telephone Apparatus Manufacturing, Custom Computer Programming Services, Other Computer Related Services (Except Information Technology Value Added Resellers), Information Technology Value Added Resellers, Software Publishers. 138. While the Commission sought to minimize compliance burdens on small entities where practicable, the rules adopted in the Order will impose new or additional reporting, recordkeeping, and/or other compliance obligations on small entities that participate in the Pilot Program. The adopted rules encompass a broad range of Pilot-related compliance requirements that are summarized in further detail below. 139. Application process. The purpose of the Pilot Program is to better assess the costs and benefits of utilizing universal service funds to support schools’ and libraries’ cybersecurity needs and how other Federal resources could be leveraged to ensure that these PO 00000 Frm 00028 Fmt 4701 Sfmt 4700 needs are addressed in the most efficient and effective manner. To do so, the Commission requires Pilot applicants to submit, as part of their application to participate in the Pilot, part one (out of two parts) of a new FCC Form 484 application, including by completing appropriate certifications. In this first part of the application, an applicant will provide a general level of cybersecurity information about itself and its proposed Pilot project, and will use pre-populated data, as well as a number of ‘‘yes/no’’ questions and questions with a predetermined set of responses (i.e., multiselect questions with predefined answers). The applicant will explain how its proposed project meets a number of criteria outlined in the Order. In addition, the applicant must present a clear strategy for addressing the cybersecurity needs of its K–12 school(s) and/or library(ies) pursuant to its proposed Pilot project, and clearly articulate how the project will accomplish the applicant’s cybersecurity objectives. After selection for participation Pilot, participants shall submit to USAC a second part to the FCC Form 484, including by completing appropriate certifications. The second part will require that participants provide more detailed cybersecurity data and Pilot project information, including a description of the Pilot participant’s current cybersecurity posture, information about the participant’s planned use(s) for other Federal, state, or local cybersecurity funding (i.e., funding obtained outside of the Pilot), and information about a participant’s history of cybersecurity threats and attacks within a year of the date of its application. Moreover, the Commission requires applications to be submitted through an online Pilot portal on USAC’s website and direct the Bureau to issue a Public Notice that includes details and instructions on how to submit an application using the Pilot portal on USAC’s website. 140. Competitive Bidding, Requests for Services, and Invoicing and Reimbursement Processes. The Commission requires Pilot participants to provide information related to competitive bidding, requests for services and invoice and reimbursement information, including associated and appropriate certifications, using new Pilot Program forms that will mirror existing E-Rate and ECF forms: (1) FCC Form 470 (Description of Services Requested and Certification Form);(2) FCC Form 471 (Description of Services Ordered and Certification Form); (3) FCC Form 472 (Billed Entity Applicant Reimbursement (BEAR) Form); and (4) E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations FCC Form 474 (Service Provider Invoice (SPI) Form). 141. Reporting Requirements. The Commission requires Pilot participants to submit initial, annual, and final reports. Applicants must provide an initial baseline assessment using information that includes the reporting requirements for the second part of the application process described. 142. Document Retention Requirements. The Commission requires Pilot participants to retain all documents related to their participation in the Pilot Program sufficient to demonstrate compliance with all program rules for at least 10 years from the last date of service or delivery of equipment and to maintain asset and inventory records of services and equipment purchased sufficient to verify the actual location of such services and equipment for a period of 10 years after purchase. This rule requires that Pilot participants must retain documents regarding participation in the Pilot, including asset and inventory records, accumulated during the Pilot, for a period of 10 years. The Commission also requires Pilot participants to present such records upon request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission, its Inspector General, or any local, state, or Federal agency with jurisdiction over the entity. 143. Pilot Program Certifications. As noted, the Commission requires participants to provide several certifications as part of their FCC Form 484 application, competitive bidding requirements, requests for services, and invoicing processes. Similarly, the Commission requires their selected service providers to provide certifications related to invoicing processes. The Commission also requires Pilot participants and service providers to certify that they are not seeking support or reimbursement for Pilot-eligible services and equipment that has been purchased and reimbursed from other Federal, state, Tribal, or local funding sources or that is eligible for discounts from E-Rate or another universal service program. Pilot participants and service providers must certify that they are seeking funding for only Pilot-eligible services and equipment. 144. Other Delegations. As part of the Order, the Commission also delegates to Bureau the authority to address and resolve a number of procedural or administrative matters, including unforeseen administrative issues or problems, provided that doing so is VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 consistent with the decisions it reached in the Order. 145. The record does not include a detailed cost/benefit analysis that would allow the Commission to quantify the costs of compliance for small entities, including whether it will be necessary for small entities to hire professionals to comply with the adopted rules. However, as program participation by applicants and service providers is voluntary, and the Commission expects that Pilot participants will carefully weigh the benefits, costs, and burdens of participation to ensure that the benefits outweigh their costs. The Commission expects that there may be additional benefits that cannot be easily quantified, such as a reduction in learning downtime caused by cyberattacks, reputational benefits from increased trust in school and library systems, increased digital and cybersecurity literacy among students and staff, and the safeguarding of intellectual property. This limited Pilot Program will enable the Commission to evaluate the benefits of using universal service funding to fund cybersecurity services and equipment against the costs before deciding whether to support it on a permanent basis. 146. The RFA requires an agency to provide, ‘‘a description of the steps the agency has taken to minimize the significant economic impact on small entities . . . including a statement of the factual, policy, and legal reasons for selecting the alternative adopted in the final rule and why each one of the other significant alternatives to the rule considered by the agency which affect the impact on small entities was rejected.’’ 147. In the Order, the Commission takes multiple steps that minimize economic impact on small entities related to the final rules it adopted. The Commission has sought to minimize economic impact on eligible small schools, libraries and consortia by dividing the process of completing the application form for participation in the Pilot (FCC Form 484) into two parts. By requiring that an applicant only complete the first part of the application form, which seeks more general information, with their initial application (i.e., prior to its decision about whether to approve the entity as a participant in the Pilot), the Commission minimizes the economic impacts associated with filling out the second part of the form in at least two ways. First, applicants that are not selected for participation in the Pilot will never be required to fill out the second portion of the form. Second, applicants that are selected will have PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 61309 additional time to gather and prepare their answers, as compared to an alternate approach where it could have required that the entire form be completed with the initial application. 148. The Commission has also significantly minimized economic impacts on eligible small schools, libraries, consortia and service providers by modeling the Pilot processes and forms, including those related to competitive bidding, requests for services, and invoicing and reimbursement processes, on existing ERate and ECF processes and forms. This includes submitting applications using the Pilot portal on USAC’s website. The Commission expects this action will meaningfully reduce any economic impact on small entities associated with completing information requested via these forms. First, the Commission expects that many small entity participants, including their potential consultants and advisors, and service providers will be familiar with the substance of the forms from their involvement with the Commission’s ERate and ECF processes and forms. Second, the Commission expects that even those small entities that may not be involved with the E-Rate and ECF programs may benefit from the significant guidance and information that the Commission and USAC have issued over the years in those programs (e.g., trainings and instructions materials), that could also be relevant to the Pilot, including future guidance the Bureau will provide about the Pilot Program requirements through a Public Notice. Third, the Commission expects that these forms will generally be easy to use and efficient to complete based on its observation, made over many years, that forms with similar substance have proven effective in the Commission’s E-Rate and ECF programs. The Commission thus expect its actions will significantly minimize any economic impact on small entities compared to an alternative approach where it developed Pilot processes and forms that were not related to those already developed in the Commission’s E-Rate and ECF programs. 149. The Commission has also designed its reporting requirements to minimize the economic impact on small entities while ensuring that it gathers the information necessary to achieve the goals and ensure the success of the Pilot. In particular, have required only annual reporting from participants during the duration of the Pilot rather than alternate approaches where it could have required either per-incident ‘‘real-time’’ reports based on the occurrence of certain notable cyber E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61310 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations events or regular but more frequent (e.g., quarterly) reporting. To further reduce economic impacts on small entities the Commission has also directed the Bureau to consider the development of a standardized reporting form for use by Pilot participants. 150. Additionally, the Commission has also delegated authority to the Bureau to address and resolve a number of matters, including unforeseen administrative issues or problems, provided that doing so is consistent with the decisions it reached in the Order. The Commission expects that that these delegations of authority will permit the Bureau and Administrator to take procedural actions, based on their experience gained managing the Pilot Program, to further reduce, wherever possible, economic impacts on small entities while still ensuring that all Pilot Program goals are effectively and efficiently satisfied. 151. The Commission also will not require the use of specific Federal Government tools and resources in the Pilot as initially suggested in the Cybersecurity NPRM. Further, while several commenters support a shortened Pilot duration of either one year or eighteen months, the Commission adopts its proposed three-year Pilot Program because it will allow us a better opportunity to evaluate whether universal service support should be used to fund cybersecurity services and equipment on a permanent basis. In determining the share of costs, participants will use their category one discount rate to determine the nondiscount share of costs, instead of the category two discount proposed in the Cybersecurity NPRM, allowing participants with the highest discount rate to be eligible for support for 90 percent of their costs. 152. The Commission considered, but declined to adopt, proposals to abandon the traditional E-Rate reimbursement structure and instead provide ‘‘seed’’ money at the start of the Pilot, because requiring participants to contribute their funds toward eligible equipment and services helps to safeguard the integrity of the program and is consistent with processes in E-Rate and other universal service programs. However, for the Pilot, the Commission modifies the time to request appeal and waiver of an action by USAC to 30 days instead of the 60-day timeframe in the existing programs. Though commenters assert this will limit flexibility for participants, the Commission thinks the change is appropriate for the Pilot Program because it will allow for faster decisions in a program that has a limited duration. VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 153. The Commission will send a copy of the Order, including this FRFA, in a report to Congress pursuant to the Congressional Review Act. In addition, the Commission will send a copy of the Order, including the FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the Order and FRFA (or summaries thereof) will also be published in the Federal Register. 154. OPEN Government Data Act. The OPEN Government Data Act, requires agencies to make ‘‘public data assets’’ available under an open license and as ‘‘open Government data assets,’’ i.e., in machine-readable, open format, unencumbered by use restrictions other than intellectual property rights, and based on an open standard that is maintained by a standards organization. This requirement is to be implemented ‘‘in accordance with guidance by the Director’’ of OMB. The term ‘‘public data asset’’ means ‘‘a data asset, or part thereof, maintained by the Federal Government that has been, or may be, released to the public, including any data asset, or part thereof, subject to disclosure under [the Freedom of Information Act (FOIA)].’’ A ‘‘data asset’’ is ‘‘a collection of data elements or data sets that may be grouped together,’’ and ‘‘data’’ is ‘‘recorded information, regardless of form or the media on which the data is recorded.’’ The Commission delegates authority, including the authority to adopt rules, to the Bureau, in consultation with the agency’s Chief Data and Analytics Officer and after seeking public comment to the extent it deems appropriate, to determine whether any data assets maintained or created by the Commission pursuant to the rules adopted herein are ‘‘public data assets’’ and if so, to determine when and to what extent such information should be made publicly available to the extent the Commission has not done so. In doing so, the Bureau shall take into account the extent to which such data assets should not be made publicly available because they are not subject to disclosure under the FOIA. 155. People with Disabilities. To request materials in accessible formats for people with disabilities (Braille, large print, electronic files, audio format), send an email to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202–418–0530 (voice). IV. Ordering Clauses 156. Accordingly, it is ordered, that pursuant to the authority contained in sections 1 through 4, 201 through 202, 254, 303(r), and 403 of the Communications Act of 1934, as amended, 47 U.S.C. 151–154, 201–202, PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 254, 303(r), and 403, the Report and Order is adopted effective August 29, 2024. 157. It is further ordered, that pursuant to the authority contained in sections 1 through 4, 201 through 202, 254, 303(r), and 403 of the Communications Act of 1934, as amended, 47 U.S.C. 151–154, 201–202, 254, 303(r), and 403, part 54 of the Commission’s rules, 47 CFR part 54, is amended, and such rule amendments shall be effective August 29, 2024, except for §§ 54.2004, 54.2005, 54.2006, and 54.2008, which are delayed indefinitely. The Commission will publish a document in the Federal Register announcing the effective date for those sections after approved by the Office of Management and Budget as required by the Paperwork Reduction Act. List of Subjects in 47 CFR Part 54 Communications common carriers, Cybersecurity, Internet, Libraries, Reporting and recordkeeping requirements, Schools, Telecommunications, Telephone. Federal Communications Commission. Katura Jackson, Federal Register Liaison Officer. Final Rules For the reasons discussed in the preamble, the Federal Communications Commission amends part 54 of title 47 of the Code of Federal Regulations as follows: PART 54—UNIVERSAL SERVICE 1. The authority citation for part 54 continues to read as follows: ■ Authority: 47 U.S.C. 151, 154(i), 155, 201, 205, 214, 219, 220, 229, 254, 303(r), 403, 1004, 1302, 1601–1609, and 1752, unless otherwise noted. ■ 2. Add subpart T to read as follows: Subpart T—Schools and Libraries Cybersecurity Pilot Program Sec. 54.2000 Terms and definitions. 54.2001 Cap, budgets, and duration. 54.2002 Eligible recipients. 54.2003 Eligible services and equipment. 54.2004–54.2006 [Reserved] 54.2007 Discounts. 54.2008 [Reserved] 54.2009 Audits, inspections, and investigations. 54.2010 Records retention and production. 54.2011 Administrator of the Schools and Libraries Cybersecurity Pilot Program. 54.2012 Appeal and waiver requests. 54.2013 Children’s internet Protection Act certifications. E:\FR\FM\30JYR3.SGM 30JYR3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 § 54.2000 Terms and definitions. Administrator. The term ‘‘Administrator’’ means the Universal Service Administrative Company. Applicant. An ‘‘applicant’’ is a school, library, or consortium of schools and/or libraries that applies to participate in the Schools and Libraries Cybersecurity Pilot Program. Billed entity. A ‘‘billed entity’’ is the entity that remits payment to service providers for services rendered to eligible schools, libraries, or consortia of eligible schools and libraries. Commission. The term ‘‘Commission’’ means the Federal Communications Commission (FCC). Connected device. The term ‘‘connected device’’ means a laptop or desktop computer, or a tablet. Consortium. A ‘‘consortium’’ is any local, Tribal, statewide, regional, or interstate cooperative association of schools and/or libraries eligible for Schools and Libraries Cybersecurity Pilot Program support that seeks competitive bids for eligible services or funding for eligible services on behalf of some or all of its members. A consortium may also include health care providers eligible under subpart G of this part, and public sector (governmental) entities, including, but not limited to, state colleges and state universities, state educational broadcasters, counties, and municipalities, although such entities are not eligible for support. Cyber incident. An occurrence that actually or potentially results in adverse consequences to an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate or eliminate the consequences. Cyber threat. A circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society. Cyberattack. An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system or information integrity. Doxing. The act of compiling or publishing personal information about an individual on the internet, typically with malicious intent. Educational purposes. For purposes of this subpart, activities that are integral, immediate, and proximate to the education of students, or in the case of libraries, integral, immediate, and proximate to the provision of library VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 services to library patrons, qualify as ‘‘educational purposes.’’ Elementary school. An ‘‘elementary school’’ means an elementary school as defined in 20 U.S.C. 7801(18), a nonprofit institutional day or residential school, including a public elementary charter school, that provides elementary education, as determined under state law. Library. A ‘‘library’’ includes: (1) A public library; (2) A public elementary school or secondary school library; (3) A Tribal library; (4) An academic library; (5) A research library, which for the purpose of this subpart means a library that: (i) Makes publicly available library services and materials suitable for scholarly research and not otherwise available to the public; and (ii) Is not an integral part of an institution of higher education; and (6) A private library, but only if the state in which such private library is located determines that the library should be considered a library for the purposes of this definition. Library consortium. A ‘‘library consortium’’ is any local, statewide, Tribal, regional, or interstate cooperative association of libraries that provides for the systematic and effective coordination of the resources of schools, and public, academic, and special libraries and information centers, for improving services to the clientele of such libraries. For the purposes of this subpart, references to library will also refer to library consortium. National School Lunch Program. The ‘‘National School Lunch Program’’ is a program administered by the U.S. Department of Agriculture and state agencies that provides free or reduced price lunches to economically disadvantaged children. A child whose family income is between 130 percent and 185 percent of applicable family size income levels contained in the nonfarm poverty guidelines prescribed by the Office of Management and Budget (OMB) is eligible for a reduced price lunch. A child whose family income is 130 percent or less of applicable family size income levels contained in the nonfarm income poverty guidelines prescribed by OMB is eligible for a free lunch. Pilot participant. A ‘‘Pilot participant’’ is an eligible school, library, or consortium of eligible schools and/or libraries selected to participate in the Schools and Libraries Cybersecurity Pilot Program. Pre-discount price. The ‘‘pre-discount price’’ means, in this subpart, the price PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 61311 the service provider agrees to accept as total payment for its eligible services and equipment. This amount is the sum of the amount the service provider expects to receive from the eligible school, library, or consortium, and the amount it expects to receive as reimbursement from the Schools and Libraries Cybersecurity Pilot Program for the discounts provided under this subpart. Secondary school. A ‘‘secondary school’’ means a secondary school as defined in 20 U.S.C. 7801(38), a nonprofit institutional day or residential school, including a public secondary charter school, that provides secondary education, as determined under state law except that the term does not include any education beyond grade 12. Tribal. An entity is ‘‘Tribal’’ if it is a school operated by or receiving funding from the Bureau of Indian Education (BIE), or if it is a school or library operated by any Tribe, Band, Nation, or other organized group or community, including any Alaska native village, regional corporation, or village corporation (as defined in, or established pursuant to, the Alaska Native Claims Settlement Act (43 U.S.C. 1601 et seq.) that is recognized as eligible for the special programs and services provided by the United States to Indians because of their status as Indians. § 54.2001 Cap, budgets, and duration. (a) Cap. The Schools and Libraries Cybersecurity Pilot Program shall have a cap of $200 million. (b) Pilot participant budgets. Each Pilot participant will be subject to a specific budget. Budgets are specified in terms of annualized dollar amounts, but participants’ expenses are capped based on the full three-year duration of the Pilot and participants may seek reimbursement for more than the annual budget for any given Pilot Program year, so long as the total amount disbursed over the three-year term does not exceed three times the applicable annual budget. (1) Schools. At a minimum, each eligible school or school district will receive a pre-discount budget of $15,000 annually. Schools and school districts with 1,100 students or fewer will be eligible to receive the annual prediscount $15,000 funding floor. For schools and school districts with more than 1,100 students, the annual budget is calculated using the pre-discount $13.60 per-student multiplier, subject to an annual pre-discount budget maximum of $1.5 million. (2) Libraries. Each eligible library will receive a pre-discount budget of $15,000 E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61312 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations annually up to 11 libraries/sites. For library systems with more than 11 libraries/sites, the budget will be up to $175,000 pre-discount annually. (3) Consortia. Consortia comprised of eligible schools and libraries will be eligible to receive funding based on student count, using the pre-discount $13.60 per-student multiplier and $1.5 million pre-discount funding caps, and the number of library sites, using the pre-discount $15,000 annual per-library budget and $175,000 pre-discount funding caps. Consortia solely comprised of eligible schools or comprised of both eligible schools and libraries are subject to the pre-discount annual $1.5 million budget maximum for schools and school districts. Consortia solely comprised of eligible libraries will be subject to the prediscount annual $175,000 budget maximum for library systems. (c) Duration. The Schools and Libraries Cybersecurity Pilot Program shall make funding available to applicants selected to participate in the Pilot for three years, to begin when the applicants selected to participate in the Pilot are first eligible to receive eligible services and equipment (i.e., from the date of the first funding commitment decision letter). (d) Rules of prioritization. If total demand for the Schools and Libraries Cybersecurity Pilot Program exceeds the Pilot Program cap of $200 million, funding will be made available as follows: (1) Schools and libraries eligible for a 90 percent discount shall receive first priority for funds, as determined by the schools and libraries discount matrix in § 54.2007. Funding shall next be made available for schools and libraries eligible for an 80 percent discount, then for a 70 percent discount, and continuing at each descending discount level until there are no funds remaining. (2) If funding is not sufficient to support all of the funding requests within a particular discount level, funding will be allocated at that discount level using the percentage of students eligible for the National School Lunch Program (NSLP). Thus, if there is not enough support to fund all requests at the 90 percent discount level, funding shall be allocated beginning with those applicants with the highest percentage of NSLP eligibility for that discount level, and shall continue at each descending percentage of NSLP until there are no funds remaining. § 54.2002 Eligible recipients. (a) Schools. (1) Only schools meeting the definition of ‘‘elementary school’’ or ‘‘secondary school’’, as defined in VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 § 54.2000, and not excluded under paragraph (a)(2) or (3) of this section, shall be eligible for discounts on supported services under this subpart. (2) Schools operating as for-profit businesses shall not be eligible for discounts under this subpart. (3) Schools with endowments exceeding $50,000,000 shall not be eligible for discounts under this subpart. (b) Libraries. (1) Only libraries eligible for assistance from a State library administrative agency under the Library Services and Technology Act (20 U.S.C. 9122) and not excluded under paragraph (b)(2) or (3) of this section shall be eligible for discounts under this subpart. (2) Except as provided in paragraph (b)(4) of this section, a library’s eligibility for discounts under this subpart shall depend on its funding as an independent entity. Only libraries whose budgets are completely separate from any schools (including, but not limited to, elementary and secondary schools, colleges, and universities) shall be eligible for discounts as libraries under this subpart. (3) Libraries operating as for-profit businesses shall not be eligible for discounts under this subpart. (4) A Tribal college or university library that serves as a public library by having dedicated library staff, regular hours, and a collection available for public use in its community shall be eligible for discounts under this subpart. (c) Consortia—(1) Consortium Leader. Each consortium seeking support under this subpart must identify an entity or organization that will lead the consortium (the ‘‘Consortium Leader’’). The Consortium Leader may be an eligible school or library participating in the consortium; a state organization; public sector governmental entity, including a Tribal government entity; or a non-profit entity that is ineligible for support under this subpart. Ineligible state organizations, public sector entities, or non-profit entities may serve as Consortium Leaders or provide consulting assistance to consortia only if they do not participate as potential service providers during the competitive bidding process. An ineligible entity that serves as the Consortium Leader must pass through the full value of any discounts, funding, or other program benefits secured to the eligible schools and libraries that are members of the consortium. (2) For consortia, discounts under this subpart shall apply only to the portion of eligible services and equipment used by eligible schools and libraries. (3) Service providers shall keep and retain records of rates charged to and PO 00000 Frm 00032 Fmt 4701 Sfmt 4700 discounts allowed for eligible schools and libraries on their own or as part of a consortium. Such records shall be available for public inspection. § 54.2003 Eligible services and equipment. (a) Supported services and equipment. All supported services and equipment are identified in the Schools and Libraries Cybersecurity Pilot Program Eligible Services List (see § 54.502(a)), available on the FCC’s website at https://www.fcc.gov/ cybersecurity-pilot/cybersecurity-piloteligible-services-list. The services and equipment in this subpart will be supported in addition to all reasonable charges that are incurred by taking such services, such as state and Federal taxes. Charges for termination liability, penalty surcharges, and other charges not included in the cost of taking such service shall not be covered by universal service support. (b) Prohibition on resale. Eligible supported services and equipment shall not be sold, resold, or transferred in consideration of money or any other thing of value, until the conclusion of the Schools and Libraries Cybersecurity Pilot Program, as provided in § 54.2001. §§ 54.2004–54.2006 § 54.2007 [Reserved] Discounts. (a) Discount mechanism. Discounts for participants in the Schools and Libraries Cybersecurity Pilot Program shall be set as a percentage discount from the pre-discount price. (b) Discount percentages. The discounts available to participants in the Schools and Libraries Cybersecurity Pilot Program shall range from 20 percent to 90 percent of the prediscount price for all eligible services provided by eligible providers. The discounts available shall be determined by indicators of poverty and urban/ rurality designation. (1) For schools and school districts, the level of poverty shall be based on the percentage of the student enrollment that is eligible for a free or reduced price lunch under the National School Lunch Program (NSLP) or a federally-approved alternative mechanism. School districts shall divide the total number of students eligible for the NSLP within the school district by the total number of students within the school district to arrive at a percentage of students eligible. This percentage rate shall then be applied to the discount matrix to set a discount rate for the supported services purchased by all schools within the school district. Independent charter schools, private schools, and other eligible educational facilities should E:\FR\FM\30JYR3.SGM 30JYR3 61313 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations calculate a single discount percentage rate based on the total number of students under the control of the central administrative agency. (2) For libraries and library consortia, the level of poverty shall be based on the percentage of the student enrollment that is eligible for a free or reduced price lunch under the NSLP or a federallyapproved alternative mechanism in the public school district in which they are located and should use that school district’s level of poverty to determine their discount rate when applying as a library system or as an individual library outlet within that system. When a library system has branches or outlets in more than one public school district, that library system and all library outlets within that system should use the address of the central outlet or main administrative office to determine which school district the library system is in, and should use that school district’s level of poverty to determine its discount rate when applying as a library system or as one or more library outlets. If the library is not in a school district, then its level of poverty shall be based on an average of the percentage of students eligible for the NSLP in each of the school districts that children living in the library’s location attend. (3) The Administrator shall classify schools and libraries as ‘‘urban’’ or ‘‘rural’’ according to the following designations. The Administrator shall designate a school or library as ‘‘urban’’ if the school or library is located in an urbanized area or urban cluster area with a population equal to or greater than 25,000, as determined by the most recent rural-urban classification by the Bureau of the Census. The Administrator shall designate all other schools and libraries as ‘‘rural.’’ (4) Participants in the Schools and Libraries Cybersecurity Pilot Program shall calculate discounts on supported services described in § 54.2003 that are shared by two or more of their schools, libraries, or consortia members by calculating an average discount based on the applicable district-wide discounts of all member schools and libraries. School districts, library systems, or other billed entities shall ensure that, for each year in which an eligible school or library is included for purposes of calculating the aggregate discount rate, that eligible school or library shall receive a proportionate share of the shared services for which support is sought. For schools, the discount shall be a simple average of the applicable district-wide percentage for all schools sharing a portion of the shared services. For libraries, the average discount shall be a simple average of the applicable discounts to which the libraries sharing a portion of the shared services are entitled. (c) Discount matrix. The Administrator shall use the following matrix to set the discount rate to be applied to eligible services purchased by participants in the Schools and Libraries Cybersecurity Pilot Program based on the participant’s level of poverty and location in an ‘‘urban’’ or ‘‘rural’’ area. TABLE 1 TO PARAGRAPH (C) Discount level % of students eligible for national school lunch program Urban discount <1 ................................................................................................................................................................. 1–19 ............................................................................................................................................................. 20–34 ........................................................................................................................................................... 35–49 ........................................................................................................................................................... 50–74 ........................................................................................................................................................... 75–100 ......................................................................................................................................................... (d) Payment for the non-discount portion of supported services and equipment. A participant in the Schools and Libraries Cybersecurity Pilot Program must pay the non-discount portion of costs for the services or equipment purchased with universal service discounts, and may not receive rebates for services or equipment purchased with universal service discounts. For the purpose of this subpart, the provision, by the provider of a supported service or equipment, of free services or equipment unrelated to the supported service or equipment constitutes a rebate of the non-discount portion of the costs for the supported services and equipment. khammond on DSKJM1Z7X2PROD with RULES3 § 54.2008 [Reserved] § 54.2009 Audits, inspections, and investigations. (a) Audits. Schools and Libraries Cybersecurity Pilot Program participants and service providers shall be subject to audits and other investigations to evaluate their compliance with the VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 statutory and regulatory requirements in this chapter of the Schools and Libraries Cybersecurity Pilot Program, including those requirements pertaining to what services and equipment are purchased, what services and equipment are delivered, and how services and equipment are being used. (b) Inspections and investigations. Schools and Libraries Cybersecurity Pilot Program participants and service providers shall permit any representative (including any auditor) appointed by a state education department, the Administrator, the Commission, its Office of Inspector General, or any local, state, or Federal agency with jurisdiction over the entity to enter their premises to conduct inspections for compliance with the statutory and regulatory requirements in this subpart of the Schools and Libraries Cybersecurity Pilot Program. § 54.2010 Records retention and production. (a) Recordkeeping requirements. All Schools and Libraries Cybersecurity PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 20 40 50 60 80 90 Rural discount 25 50 60 70 80 90 Pilot Program participants and service providers shall retain all documents related to their participation in the program sufficient to demonstrate compliance with all program rules for at least ten years from the last date of service or delivery of equipment. All Schools and Libraries Cybersecurity Pilot Program applicants shall maintain asset and inventory records of services and equipment purchased sufficient to verify the actual location of such services and equipment for a period of ten years after purchase. (b) Production of records. All Schools and Libraries Cybersecurity Pilot Program participants and service providers shall produce such records upon request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission, its Office of Inspector General, or any local, state, or Federal agency with jurisdiction over the entity. E:\FR\FM\30JYR3.SGM 30JYR3 61314 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES3 § 54.2011 Administrator of the Schools and Libraries Cybersecurity Pilot Program. (a) The Universal Service Administrative Company is appointed the Administrator of the Schools and Libraries Cybersecurity Pilot Program and shall be responsible for administering the Schools and Libraries Cybersecurity Pilot Program. (b) The Administrator shall be responsible for reviewing applications for funding, recommending funding commitments, issuing funding commitment decision letters, reviewing invoices and recommending payment of funds, as well as other administrationrelated duties. (c) The Administrator may not make policy, interpret unclear provisions of statutes or rules, or interpret the intent of Congress. Where statutes or the Commission’s rules in this subpart are unclear, or do not address a particular situation, the Administrator shall seek guidance from the Commission. (d) The Administrator may advocate positions before the Commission and its staff only on administrative matters relating to the Schools and Libraries Cybersecurity Pilot Program. (e) The Administrator shall create and maintain a website, as defined in § 54.5, on which applications for services will be posted on behalf of schools and libraries. (f) The Administrator shall provide the Commission full access to the data collected pursuant to the administration of the Schools and Libraries Cybersecurity Pilot Program. (g) The Administrator shall provide performance measurements pertaining to the Schools and Libraries Cybersecurity Pilot Program as requested by the Commission by order or otherwise. (h) The Administrator shall have the authority to audit all entities reporting data to the Administrator regarding the Schools and Libraries Cybersecurity Pilot Program. When the Commission, the Administrator, or any independent auditor hired by the Commission or the Administrator conducts audits of the participants of the Schools and Libraries Cybersecurity Pilot Program, such audits shall be conducted in accordance with generally accepted government auditing standards. (i) The Administrator shall establish procedures to verify support amounts provided by the Schools and Libraries Cybersecurity Pilot Program and may suspend or delay support amounts if a party fails to provide adequate verification of the support amounts provided upon reasonable request from the Administrator or the Commission. VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 (j) The Administrator shall make available to whomever the Commission directs, free of charge, any and all intellectual property, including, but not limited to, all records and information generated by or resulting from its role in administering the support mechanisms, if its participation in administering the Schools and Libraries Cybersecurity Pilot Program ends. If its participation in administering the Schools and Libraries Cybersecurity Pilot Program ends, the Administrator shall be subject to close-out audits at the end of its term. § 54.2012 Appeal and waiver requests. (a) Parties permitted to seek review of Administrator decision. (1) Any party aggrieved by an action taken by the Administrator must first seek review from the Administrator. (2) Any party aggrieved by an action taken by the Administrator under paragraph (a)(1) of this section may seek review from the Commission as set forth in paragraph (b) of this section. (3) Parties seeking waivers of the Commission’s rules in this subpart shall seek relief directly from the Commission and need not first file an action for review from the Administrator under paragraph (a)(1) of this section. (b) Filing deadlines. (1) An affected party requesting review of a decision by the Administrator pursuant to paragraph (a)(1) of this section shall file such a request within thirty (30) days from the date the Administrator issues a decision. (2) An affected party requesting review by the Commission pursuant to paragraph (a)(2) of this section of a decision by the Administrator under paragraph (a)(1) of this section shall file such a request with the Commission within thirty (30) days from the date of the Administrator’s decision. Further, any party seeking a waiver of the Commission’s rules under paragraph (a)(3) of this section shall file a request for such waiver within thirty (30) days from the date of the Administrator’s initial decision, or, if an appeal is filed under paragraph (a)(1) of this section, within thirty days from the date of the Administrator’s decision resolving such an appeal. (3) Parties shall adhere to the time periods for filing oppositions and replies set forth in § 1.45 of this chapter. (c) General filing requirements. (1) Except as otherwise provided in this section, a request for review of an Administrator decision by the Commission shall be filed with the Commission’s Office of the Secretary in accordance with the general requirements set forth in part 1 of this chapter. The request for review shall be PO 00000 Frm 00034 Fmt 4701 Sfmt 4700 captioned ‘‘In the Matter of Request for Review by (name of party seeking review) of Decision of Universal Service Administrator’’ and shall reference the applicable docket numbers. (2) A request for review pursuant to paragraphs (a)(1) through (3) of this section shall contain: (i) A statement setting forth the party’s interest in the matter presented for review; (ii) A full statement of relevant, material facts with supporting affidavits and documentation; (iii) The question presented for review, with reference, where appropriate, to the relevant Commission rule, Commission order, or statutory provision; and; (iv) A statement of the relief sought and the relevant statutory or regulatory provision pursuant to which such relief is sought. (3) A copy of a request for review that is submitted to the Commission shall be served on the Administrator consistent with the requirement for service of documents set forth in § 1.47 of this chapter. (4) If a request for review filed pursuant to paragraphs (a)(1) through (3) of this section alleges prohibitive conduct on the part of a third party, such request for review shall be served on the third party consistent with the requirement for service of documents set forth in § 1.47 of this chapter. The third party may file a response to the request for review. Any response filed by the third party shall adhere to the time period for filing replies set forth in § 1.45 of this chapter and the requirement for service of documents set forth in § 1.47 of this chapter. (d) Review by the Wireline Competition Bureau or the Commission. (1) Requests for review of Administrator decisions that are submitted to the Commission shall be considered and acted upon by the Wireline Competition Bureau; provided, however, that requests for review that raise novel questions of fact, law, or policy shall be considered by the full Commission. (2) An affected party may seek review of a decision issued under delegated authority by the Wireline Competition Bureau pursuant to the rules set forth in part 1 of this chapter. (e) Standard of review. (1) The Wireline Competition Bureau shall conduct a de novo review of requests for review of decisions issued by the Administrator. (2) The Commission shall conduct a de novo review of requests for review of decisions by the Administrator that involve novel questions of fact, law, or policy; provided, however, that the E:\FR\FM\30JYR3.SGM 30JYR3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations Commission shall not conduct a de novo review of decisions issued by the Wireline Competition Bureau under delegated authority. (f) Schools and Libraries Cybersecurity Pilot Program disbursements during pendency of a request for review and Administrator decision. When a party has sought review of an Administrator decision under paragraphs (a)(1) through (3) of this section, the Commission shall not process a request for the reimbursement of eligible equipment and/or services until a final decision has been issued either by the Administrator or by the Commission; provided, however, that the Commission may authorize disbursement of funds for any amount of support that is not the subject of an appeal. khammond on DSKJM1Z7X2PROD with RULES3 § 54.2013 Children’s internet Protection Act certifications. (a) Definitions—(1) School. For the purposes of the certification requirements of this section, school means school, school board, school district, local education agency, or other authority responsible for administration of a school. (2) Library. For the purposes of the certification requirements of this section, library means library, library board, or authority responsible for administration of a library. (3) Billed entity. Billed entity is defined in § 54.2000. In the case of a consortium, the billed entity is the lead member of the consortium. (b) Certifications required. A school or library that receives support for eligible services and equipment through the Schools and Libraries Cybersecurity Pilot Program must make the certifications as described in paragraph (c) of this section. (c) CIPA certifications. (1) A Schools and Libraries Cybersecurity Pilot Program participant need not complete additional Children’s internet Protection Act (CIPA) (47 U.S.C. 254(h) and (l)) compliance certifications if the participant has already certified its CIPA compliance for the schools and libraries universal service support mechanism funding year preceding the start of the Schools and Libraries Cybersecurity Pilot Program (i.e., has certified its compliance in an FCC Form 486 or FCC Form 479). (2) Schools and Libraries Cybersecurity Pilot Program participants that have not already certified their CIPA compliance for the schools and libraries universal service support mechanism funding year preceding the start of the Schools and Libraries Cybersecurity Pilot Program (i.e., have VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 not completed a FCC Form 486 or FCC Form 479), will be required to certify: (i) That they are in compliance with CIPA requirements under 47 U.S.C. 254(h) and (l); (ii) That they are undertaking the actions necessary to comply with CIPA requirements under 47 U.S.C. 254(h) and (l) as part of their request for support through the Schools and Libraries Cybersecurity Pilot Program, and will come into compliance within one year from the date of the submission of its FCC Form 471; or (iii) That they are not required to comply with CIPA requirements under 47 U.S.C. 254(h) and (l) because they are purchasing services to be used only in conjunction with student-, school staffor library patron-owned computers. (d) Failure to provide certifications— (1) Schools and libraries. A school or library that knowingly fails to submit certifications as required by this section shall not be eligible for support through the Schools and Libraries Cybersecurity Pilot Program until such certifications are submitted. (2) Consortia. A billed entity’s knowing failure to collect the required certifications from its eligible school and library members or knowing failure to certify that it collected the required certifications shall render the entire consortium ineligible for support through the Schools and Libraries Cybersecurity Pilot Program. (3) Reestablishing eligibility. At any time, a school or library deemed ineligible for equipment and services under the Schools and Libraries Cybersecurity Pilot Program because of failure to submit certifications required by this section may reestablish eligibility for support by providing the required certifications to the Administrator and the Commission. (e) Failure to comply with the certifications—(1) Schools and libraries. A school or library that knowingly fails to comply with the certifications required by this section must reimburse any funds and support received under the Schools and Libraries Cybersecurity Pilot Program for the period in which there was noncompliance. (2) Consortia. In the case of consortium applications, the eligibility for support of consortium members who comply with the certification requirements of this section shall not be affected by the failure of other school or library consortium members to comply with such requirements. (3) Reestablishing compliance. At any time, a school or library deemed ineligible for support through the Schools and Libraries Cybersecurity Pilot Program for failure to comply with PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 61315 the certification requirements of this section and that has been directed to reimburse the program for support received during the period of noncompliance may reestablish compliance by complying with the certification requirements under this section. Upon submittal to the Commission of a certification, the school or library shall be eligible for support through the Schools and Libraries Cybersecurity Pilot Program. (f) Waivers based on state or local procurement rules and regulations and competitive bidding requirements. Waivers shall be granted to schools and libraries when the authority responsible for making the certifications required by this section cannot make the required certifications because its state or local procurement rules or regulations or competitive bidding requirements prevent the making of the certification otherwise required. The waiver shall be granted upon the provision, by the authority responsible for making the certifications on behalf of schools or libraries, that the schools or libraries will be brought into compliance with the requirements of this section within one year from the date the waiver was granted. 3. Delayed indefinitely, add §§ 54.2004 through 54.2006 to read as follows: ■ § 54.2004 Application for Pilot Program selection and reporting of information. (a) Selection window. The Wireline Competition Bureau shall announce the opening of the Pilot Participant Selection Application Window for applicants to submit a Schools and Libraries Pilot Participant Selection Application. (b) Participant announcement. The Wireline Competition Bureau shall announce those eligible applicants who have been selected to participate in the Schools and Libraries Cybersecurity Pilot Program following the close of the Pilot Participant Selection Application Window. (c) Filing the FCC Form 484 to be considered for selection in the Pilot Program. (1) Schools, libraries, or consortia of eligible schools and libraries to be considered for participation in the Schools and Libraries Cybersecurity Pilot Program shall submit the first part of an FCC Form 484 to the Administrator, via a portal established by the Administrator, that contains, at a minimum, the following information: (i) Name, entity number, FCC registration number, employer identification number, addresses, and E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61316 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations telephone number for each school, library, and consortium member that will participate in the proposed Pilot project, including the identity of the lead site for any proposals involving a consortium. (ii) Contact information for the individual(s) who will be responsible for the management and operation of the proposed Pilot project, including name, title or position, telephone number, mailing address, and email address. (iii) Applicant number(s) and entity type(s), including Tribal information, if applicable, and current E-Rate participation status and discount percentage, if applicable. (iv) A broad description of the proposed Pilot project, including a description of the applicant’s goals and objectives for the proposed Pilot project, a description of how Pilot funding will be used for the proposed project, and the cybersecurity risks the proposed Pilot project will prevent or address. (v) The cybersecurity equipment and services the applicant plans to request as part of its proposed project, the ability of the project to be selfsustaining once established, and whether the applicant has a cybersecurity officer or other seniorlevel staff member designated to be the cybersecurity officer for its Pilot project. (vi) Whether the applicant has previous experience implementing cybersecurity protections or measures, how many years of prior experience the applicant has, whether the applicant has experienced a cybersecurity incident within a year of the date of its application, and information about the applicant’s participation or planned participation in cybersecurity collaboration and/or informationsharing groups. (vii) Whether the applicant has implemented, or begun implementing, any U.S. Department of Education (Education Department) or Cybersecurity and Infrastructure Security Agency (CISA) best practices recommendations, a description of any Education Department or CISA free or low-cost cybersecurity resources that an applicant currently utilizes or plans to utilize, or an explanation of what is preventing an applicant from utilizing these available resources. (viii) An estimate of the total costs for the proposed Pilot project, information about how the applicant will cover the non-discount share of costs for the Piloteligible services, and information about other cybersecurity funding the applicant receives, or expects to receive, from other Federal, state, local, or Tribal programs or sources. VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 (ix) Whether any of the ineligible services and equipment the applicant will purchase with its own resources to support the eligible cybersecurity equipment and services it plans to purchase with Pilot funding will have any ancillary capabilities that will allow it to capture data on cybersecurity threats and attacks, any free or low-cost cybersecurity resources that the applicant will require service providers to include in their bids, and whether the applicant will require its selected service provider(s) to capture and measure cost-effectiveness and cyber awareness/readiness data. (x) A description of the applicant’s proposed metrics for the Pilot project, how they align with the applicant’s cybersecurity goals, how those metrics will be collected, and whether the applicant is prepared to share and report its cybersecurity metrics as part of the Pilot Program. (2) The first part of the FCC Form 484 shall be signed by a person authorized to submit the application to participate in the Schools and Libraries Cybersecurity Pilot Program on behalf of the eligible school, library, or consortium including such entities. The person authorized to submit the first part of the FCC Form 484 application on behalf of the entities listed on an FCC Form 484 shall also certify under oath that: (i) ‘‘I am authorized to submit this application on behalf of the abovenamed applicant and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this form has been examined and is true, accurate, and complete. I acknowledge that any false statement on this application or on any other documents submitted by this applicant can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).’’ (ii) ‘‘In addition to the foregoing, this applicant is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal PO 00000 Frm 00036 Fmt 4701 Sfmt 4700 prosecution by law enforcement authorities.’’ (iii) ‘‘By signing this application, I certify that the information contained in this form is true, complete, and accurate, and the projected expenditures, disbursements, and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil, or administrative penalties for fraud, false statements, false claims, or otherwise. (U.S. Code Title 18, §§ 1001, 286–287, and 1341, and Title 31, §§ 3729–3730 and 3801– 3812).’’ (iv) The applicant recognizes that it may be audited pursuant to its application, that it will retain for ten years any and all records related to its application, and that, if audited, it shall produce such records at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector General, or any local, state, or Federal agency with jurisdiction over the entity. (v) ‘‘I certify and acknowledge, under penalty of perjury, that if selected, the schools, libraries, and consortia in the application will comply with all applicable Schools and Libraries Cybersecurity Pilot Program rules, requirements, and procedures, including the competitive bidding rules and the requirement to pay the required share of the costs for the supported items from eligible sources.’’ (vi) ‘‘I certify under penalty of perjury, to the best of my knowledge, that the schools, libraries, and consortia listed in the application are not already receiving or expecting to receive other funding (from any source, federal, state, Tribal, local, private, or other) that will pay for the same equipment and/or services, or the same portion of the equipment and/or services, for which I am seeking funding under the Schools and Libraries Cybersecurity Pilot Program.’’ (vii) ‘‘I certify under penalty of perjury, to the best of my knowledge, that all requested equipment and services funded by the Schools and Libraries Cybersecurity Pilot Program will be used for their intended purposes.’’ (d) Filing the FCC Form 484 once selected to be in the Pilot Program. (1) Schools, libraries, or consortia of eligible schools and libraries selected for participation in the Schools and Libraries Cybersecurity Pilot Program shall submit to the Administrator, via a E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations portal established by the Administrator, a second part to the FCC Form 484 that contains, at a minimum, the following information, as applicable: (i) Information about correcting known security flaws and conducting routine backups, developing and exercising a cyber incident response plan, and any cybersecurity changes or advancements the participant plans to make outside of the Pilot-funded services and equipment. (ii) A description of the participant’s current cybersecurity posture, including how the school or library is currently managing and addressing its current cybersecurity risks through prevention and mitigation tactics. (iii) Information about a participant’s planned use(s) for other Federal, state, or local cybersecurity funding (i.e., funding obtained outside of the Pilot). (iv) Information about a participant’s history of cybersecurity threats and attacks within a year of the date of its application; the date range of the incident, a description of the unauthorized access; a description of the impact to the school or library, a description of the vulnerabilities exploited and the techniques used to access the system, and identifying information for each actor responsible for the incident, if known. (v) A description of the specific U.S. Department of Education or Cybersecurity and Infrastructure Security Agency best practices recommendations that the participant has implemented or begun to implement. (vi) Information about a participant’s current cybersecurity training policies and procedures, such as the frequency with which a participant trains its school and library staff and, separately, information about student cyber training sessions, and participation rates. (vii) Information about any nonmonetary or other challenges a participant may be facing in developing a more robust cybersecurity posture. (2) The second part of the FCC Form 484 shall be signed by a person authorized to submit the second part as a participant in the Schools and Libraries Cybersecurity Pilot Program on behalf of the eligible school, library, or consortium including such entities. The person authorized to submit the second part of the FCC Form 484 application on behalf of the Pilot participants listed on an FCC Form 484 shall also certify under oath that: (i) ‘‘I am authorized to submit this application on behalf of the abovenamed participant and that based on information known to me or provided to me by employees responsible for the VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 data being submitted, I hereby certify that the data set forth in this form has been examined and is true, accurate, and complete. I acknowledge that any false statement on this application or on other documents submitted by this participant can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).’’ (ii) ‘‘In addition to the foregoing, this participant is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities.’’ (iii) ‘‘By signing this application, I certify that the information contained in this form is true, complete, and accurate, and the projected expenditures, disbursements, and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil, or administrative penalties for fraud, false statements, false claims, or otherwise. (U.S. Code Title 18, §§ 1001, 286–287, and 1341, and Title 31, §§ 3729–3730 and 3801– 3812).’’ (iv) The participant recognizes that it may be audited pursuant to its application, that it will retain for ten years any and all records related to its application, and that, if audited, it shall produce such records at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector General, or any local, state, or Federal agency with jurisdiction over the entity. (v) ‘‘I certify and acknowledge, under penalty of perjury, that if selected, the schools, libraries, and consortia in the application will comply with all applicable Schools and Libraries Cybersecurity Pilot Program rules, requirements, and procedures, including the competitive bidding rules and the requirement to pay the required PO 00000 Frm 00037 Fmt 4701 Sfmt 4700 61317 share of the costs for the supported items from eligible sources.’’ (vi) ‘‘I certify under penalty of perjury, to the best of my knowledge, that the schools, libraries, and consortia listed in the application are not already receiving or expecting to receive other funding (from any source, federal, state, Tribal, local, private, or other) that will pay for the same equipment and/or services, or the same portion of the equipment and/or services, for which I am seeking funding under the Schools and Libraries Cybersecurity Pilot Program.’’ (vii) ‘‘I certify under penalty of perjury, to the best of my knowledge, that all requested equipment and services funded by the Schools and Libraries Cybersecurity Pilot Program will be used for their intended purposes.’’ (3) In order for a school, library, or consortia of eligible schools and libraries selected for participation in the Schools and Libraries Cybersecurity Pilot Program to retain its status as a Pilot participant and receive Pilot Program support, it will be required to submit the information required by the second part of the FCC Form 484 in the form specified by the Wireline Competition Bureau. (4) The Wireline Competition Bureau may waive, reduce, modify, or eliminate from the second part of the FCC Form 484, information requirements that prove unnecessary for the sound and efficient administration of the Pilot. (5) Failure to submit the information required by the second part of the FCC Form 484 may result in removal as a participant in the Pilot Program and/or a referral to the Enforcement Bureau. (e) Data reporting requirements for participants. (1) In order for a Pilot participant to receive and continue receiving Pilot Program support and retain its status as a Pilot participant, it will be required to submit initial and annual reports, followed by a final report at the completion of the program with the information and in the form specified by the Wireline Competition Bureau. (2) Prior to the start of the Pilot Program, the Wireline Competition Bureau shall announce the timing and form of the initial, annual, and final reports that Pilot participants must submit. (3) The Wireline Competition Bureau may waive, reduce, modify, or eliminate Pilot participant reporting requirements that prove unnecessary and require additional reporting requirements that the Bureau deems necessary to the sound and efficient administration of the Pilot. E:\FR\FM\30JYR3.SGM 30JYR3 61318 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations (4) Failure to submit initial, annual, and final reports may result in a referral to the Enforcement Bureau, a hold on future disbursements, recission of committed funds, and/or recovery of disbursed funds. khammond on DSKJM1Z7X2PROD with RULES3 § 54.2005 Competitive bidding requirements. (a) Fair and open competitive bidding process. All participants in the Schools and Libraries Cybersecurity Pilot Program must conduct a fair and open competitive bidding process, consistent with all requirements set forth in this subpart. Note to Paragraph (a): The following is an illustrative list of activities or behaviors that would not result in a fair and open competitive bidding process: the participant seeking supported services has a relationship with a service provider that would unfairly influence the outcome of a competition or would furnish the service provider with inside information; someone other than the participant or an authorized representative of the participant prepares, signs, and submits the FCC Form 470 and certification; a service provider representative is listed as the FCC Form 470 contact person and the participant allows that service provider to participate in the competitive bidding process; the service provider prepares the participant’s FCC Form 470 or participates in the bid evaluation or vendor selection process in any way; the participant turns over to a service provider the responsibility for ensuring a fair and open competitive bidding process; a participant employee with a role in the service provider selection process also has an ownership interest in the service provider seeking to participate in the competitive bidding process; and the participant’s FCC Form 470 does not describe the supported services with sufficient specificity to enable interested service providers to submit responsive bids. (b) Competitive bid requirements. All participants in the Schools and Libraries Cybersecurity Pilot Program shall seek competitive bids, pursuant to the requirements established in this subpart, for all services and equipment eligible for support under § 54.2003, except as provided in paragraph (f) of this section. These competitive bidding requirements apply in addition to any applicable state, Tribal, and local competitive bidding requirements and are not intended to preempt such state, Tribal, or local requirements. (c) Posting of FCC Form 470. (1) Participants in the Schools and Libraries Cybersecurity Pilot Program shall submit a completed FCC Form 470 to VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 the Administrator to initiate the competitive bidding process. The FCC Form 470 shall include, at a minimum, the following information: (i) A list of specified services and/or equipment for which the school, library, or consortium requests bids; and (ii) Sufficient information to enable bidders to reasonably determine the needs of the applicant. (2) The FCC Form 470 shall be signed by a person authorized to request bids for eligible services and equipment for the eligible school, library, or consortium, including such entities, and shall include that person’s certification under penalty of perjury that: (i) ‘‘I am authorized to submit this application on behalf of the abovenamed participant in the Schools and Libraries Cybersecurity Pilot Program and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this form has been examined and is true, accurate, and complete. I acknowledge that any false statement on this application or on other documents submitted by this participant can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).’’ (ii) ‘‘In addition to the foregoing, this participant is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities.’’ (iii) ‘‘By signing this application, I certify that the information contained in this form is true, complete, and accurate. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil, or administrative penalties for fraud, false statements, false claims, or otherwise. (U.S. Code Title 18, §§ 1001, 286–287, and 1341, and Title 31, §§ 3729–3730 and 3801–3812).’’ (iv) The schools meet the definition of ‘‘elementary school’’ or ‘‘secondary school’’, as defined in § 54.2000, do not PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 operate as for-profit businesses, and do not have endowments exceeding $50,000,000. (v) Libraries or library consortia eligible for assistance from a State library administrative agency under the Library Services and Technology Act of 1996 do not operate as for-profit businesses and, except for the limited case of Tribal college or university libraries, have budgets that are completely separate from any school (including, but not limited to, elementary and secondary schools, colleges, and universities). (vi) The services and/or equipment that the school, library, or consortium purchases at discounts will not be sold, resold, or transferred in consideration for money or any other thing of value, except as allowed by § 54.2003(b). (vii) The school(s) and/or library(ies) listed on this FCC Form 470 will not accept anything of value, other than services and equipment sought by means of this form, from the service provider, or any representatives or agent thereof, or any consultant in connection with this request for services. (viii) All bids submitted for eligible equipment and services will be carefully considered, with price being the primary factor, and the bid selected will be for the most cost-effective service offering consistent with paragraph (e) of this section. (ix) The school, library, or consortium acknowledges that support under the Schools and Libraries Cybersecurity Pilot Program is conditional upon the school(s) and/or library(ies) securing access, separately or through this program, to all of the resources necessary to effectively use the requested equipment and services. The school, library, or consortium recognizes that some of the aforementioned resources are not eligible for support and certifies that it has considered what financial resources should be available to cover these costs. (x) ‘‘I will retain required documents for a period of at least 10 years (or whatever retention period is required by the rules in effect at the time of this certification) after the later of the last day of the applicable Pilot Program year or the service delivery deadline for the associated funding request. I also certify that I will retain all documents necessary to demonstrate compliance with the statute (47 U.S.C. 254) and Commission rules regarding the form for, receipt of, and delivery of equipment and services receiving Schools and Libraries Cybersecurity Pilot Program discounts. I acknowledge that I may be audited pursuant to participation in the Pilot Program.’’ E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations (xi) ‘‘I certify that the equipment and services that the participant purchases at discounts will be used primarily for educational purposes and will not be sold, resold, or transferred in consideration for money or any other thing of value, except as permitted by the Commission’s rules at 47 CFR 54.2003(b). Additionally, I certify that the entity or entities listed on this form will not accept anything of value or a promise of anything of value, other than services and equipment sought by means of this form, from the service provider, or any representative or agent thereof, or any consultant in connection with this request for services.’’ (xii) ‘‘I acknowledge that support under this Pilot Program is conditional upon the school(s) and/or library(ies) I represent securing access, separately or through this program, to all of the resources necessary to effectively use the requested equipment and services. I recognize that some of the aforementioned resources are not eligible for support. I certify that I have considered what financial resources should be available to cover these costs.’’ (xiii) ‘‘I certify that I have reviewed all applicable Commission, state, Tribal, and local procurement/competitive bidding requirements and that the participant will comply with all applicable requirements.’’ (3) The Administrator shall post each FCC Form 470 that it receives from a participant in the Schools and Libraries Cybersecurity Pilot Program on its website designated for this purpose. (4) After posting on the Administrator’s website an FCC Form 470, the Administrator shall send confirmation of the posting to the participant requesting services and/or equipment. The participant shall then wait at least 28 days from the date on which its description of services and/or equipment is posted on the Administrator’s website before making any commitments with the selected providers of services and/or equipment. The confirmation from the Administrator shall include the date after which the participant may sign a contract with its chosen provider(s). (d) Gift restrictions. (1) Subject to paragraphs (d)(3) and (4) of this section, a participant in the Schools and Libraries Cybersecurity Pilot Program may not directly or indirectly solicit or accept any gift, gratuity, favor, entertainment, loan, or any other thing of value from a service provider participating in or seeking to participate in the Schools and Libraries Cybersecurity Pilot Program. No such service provider shall offer or provide VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 any such gift, gratuity, favor, entertainment, loan, or other thing of value except as otherwise provided in this paragraph (d). Modest refreshments not offered as part of a meal, items with little intrinsic value intended solely for presentation, and items worth $20 or less, including meals, may be offered or provided, and accepted by any individuals or entities subject to this subpart, if the value of these items received by any individual does not exceed $50 from any one service provider per year. The $50 amount for any service provider shall be calculated as the aggregate value of all gifts provided during a year by the individuals specified in paragraph (d)(2)(ii) of this section. (2) For purposes of this paragraph (d): (i) The term ‘‘participant in the Schools and Libraries Cybersecurity Pilot Program’’ includes all individuals who are on the governing boards of such entities (such as members of a school committee), and all employees, officers, representatives, agents, consultants, or independent contractors of such entities involved on behalf of such school, library, or consortium with the Schools and Libraries Cybersecurity Pilot Program, including individuals who prepare, approve, sign, or submit applications, or other forms related to the Schools and Libraries Cybersecurity Pilot Program, or who prepare bids, communicate, or work with Schools and Libraries Cybersecurity Pilot Program service providers, Schools and Libraries Cybersecurity Pilot Program consultants, or with the Administrator, as well as any staff of such entities responsible for monitoring compliance with the Schools and Libraries Cybersecurity Pilot Program; and (ii) The term ‘‘service provider’’ includes all individuals who are on the governing boards of such an entity (such as members of the board of directors), and all employees, officers, representatives, agents, consultants, or independent contractors of such entities. (3) The restrictions set forth in this paragraph (d) shall not be applicable to the provision of any gift, gratuity, favor, entertainment, loan, or any other thing of value, to the extent given to a family member or a friend working for an eligible school, library, or consortium that includes an eligible school or library, provided that such transactions: (i) Are motivated solely by a personal relationship; (ii) Are not rooted in any service provider business activities or any other business relationship with any such participant in the Schools and Libraries Cybersecurity Pilot Program; and PO 00000 Frm 00039 Fmt 4701 Sfmt 4700 61319 (iii) Are provided using only the donor’s personal funds that will not be reimbursed through any employment or business relationship. (4) Any service provider may make charitable donations to a participant in the Schools and Libraries Cybersecurity Pilot Program in the support of its programs as long as such contributions are not directly or indirectly related to Schools and Libraries Cybersecurity Pilot Program procurement activities or decisions and are not given by service providers to circumvent competitive bidding and other Schools and Libraries Cybersecurity Pilot Program rules in this subpart. (e) Selecting a provider of eligible services and/or equipment. In selecting a provider of eligible services and equipment, participants in the Schools and Libraries Cybersecurity Pilot Program shall carefully consider all bids submitted and must select the most cost-effective service and equipment offerings. In determining which service and equipment offering is the most costeffective, entities may consider relevant factors other than the pre-discount prices submitted by providers, but price must be the primary factor considered. (f) Exemption to competitive bidding requirements. Participants in the Schools and Libraries Cybersecurity Pilot Program are not required to file an FCC Form 470 when seeking support for services and equipment purchased from Master Service Agreements negotiated by Federal, state, Tribal, or local governmental entities on behalf of such Pilot participants, if such Master Service Agreements were awarded pursuant to the E-Rate program FCC Form 470 process, as well as applicable Federal, state, Tribal, or local competitive bidding requirements. § 54.2006 Requests for funding. (a) Filing of the FCC Form 471. (1) A participant in the Schools and Libraries Cybersecurity Pilot Program shall, upon entering into a signed contract or other legally binding agreement for eligible services and/or equipment, submit a completed FCC Form 471 to the Administrator. (2) The FCC Form 471 shall be signed by the person authorized to order eligible services or equipment for the participant in the Schools and Libraries Cybersecurity Pilot Program and shall include that person’s certification under penalty of perjury that: (i) ‘‘I am authorized to submit this application on behalf of the abovenamed participant and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61320 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations that the data set forth in this application has been examined and is true, accurate, and complete. I acknowledge that any false statement on this application or on any other documents submitted by this participant can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).’’ (ii) ‘‘In addition to the foregoing, this participant is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities.’’ (iii) ‘‘By signing this application, I certify that the information contained in this application is true, complete, and accurate, and the projected expenditures, disbursements, and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil, or administrative penalties for fraud, false statements, false claims, or otherwise. (U.S. Code Title 18, §§ 1001, 286–287, and 1341, and Title 31, §§ 3729–3730 and 3801– 3812).’’ (iv) The school meets the definition of ‘‘elementary school’’ or ‘‘secondary school’’, as defined in § 54.2000, does not operate as a for-profit business, and does not have endowments exceeding $50,000,000. (v) The library or library consortia is eligible for assistance from a State library administrative agency under the Library Services and Technology Act, does not operate as a for-profit business and, except for the limited case of Tribal college and university libraries, have budgets that are completely separate from any school (including, but not limited to, elementary and secondary schools, colleges, and universities). (vi) The school, library, or consortium listed on the FCC Form 471 application will pay the non-discount portion of the costs of the eligible services and/or equipment to the service provider(s). VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 (vii) The school, library, or consortium listed on the FCC Form 471 application has conducted a fair and open competitive bidding process and has complied with all applicable state, Tribal, or local laws regarding procurement of the equipment and services for which support is being sought. (viii) An FCC Form 470 was posted and that any related request for proposals (RFP) was made available for at least 28 days before considering all bids received and selecting a service provider. The school, library, or consortium listed on the FCC Form 471 application carefully considered all bids submitted and selected the most-costeffective bid for services and equipment in accordance with § 54.2005(e), with price being the primary factor considered. (ix) The school, library, or consortium listed on the FCC Form 471 application is only seeking support for eligible services and/or equipment. (x) The school, library, or consortia is not seeking Schools and Libraries Cybersecurity Pilot Program support or reimbursement for the portion of eligible services and/or equipment that have been purchased and reimbursed in full or in part with other Federal, state, Tribal, or local funding, or are eligible for discounts from the schools and libraries universal service support mechanism or another universal service support mechanism. (xi) The services and equipment the school, library, or consortium purchases using Schools and Libraries Cybersecurity Pilot Program support will be used primarily for educational purposes and will not be sold, resold, or transferred in consideration for money or any other thing of value, except as allowed by § 54.2003(b). (xii) The school, library, or consortium will create and maintain an equipment and service inventory as required by § 54.2010(a). (xiii) The school, library, or consortium has complied with all program rules in this chapter and acknowledges that failure to do so may result in denial of funding and/or recovery of funding. (xiv) The school, library, or consortium acknowledges that it may be audited pursuant to its application, that it will retain for ten years any and all records related to its application, and that, if audited, it shall produce such records at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector PO 00000 Frm 00040 Fmt 4701 Sfmt 4700 General, or any local, state, or Federal agency with jurisdiction over the entity. (xv) No kickbacks, as defined in 41 U.S.C. 8701, were paid to or received by the participant, including, but not limited to, their employees, officers, representatives, agents, independent contractors, consultants, family members, and individuals who are on the governing boards, from anyone in connection with the Schools and Libraries Cybersecurity Pilot Program or the schools and libraries universal service support mechanism. (xvi) The school, library, or consortium acknowledges that Commission rules in this chapter provide that persons who have been convicted of criminal violations or held civilly liable for certain acts arising from their participation in the universal service support mechanisms are subject to suspension and debarment from the program. The school, library, or consortium will institute reasonable measures to be informed, and will notify the Administrator should it be informed or become aware that any of the entities listed on this application, or any person associated in any way with this entity and/or the entities listed on this application, is convicted of a criminal violation or held civilly liable for acts arising from their participation in the universal service support mechanisms. (b) Service or equipment substitution. (1) A request by a Schools and Libraries Cybersecurity Pilot Program participant to substitute a service or piece of equipment for one identified in its FCC Form 471 must be in writing and certified under penalty of perjury by an authorized person. (2) The Administrator shall approve such written request where: (i) The service or equipment has the same functionality; (ii) The substitution does not violate any contract provisions or state, Tribal, or local procurement laws; and (iii) The Schools and Libraries Cybersecurity Pilot Program participant certifies that the requested change is within the scope of the controlling FCC Form 470. (3) In the event that a service or equipment substitution results in a change in the pre-discount price for the supported service or equipment, support shall be based on the lower of either the pre-discount price of the service or equipment for which support was originally requested or the prediscount price of the new, substituted service or equipment after the Administrator has approved a written request for the substitution. (c) Mixed eligibility services and equipment. A request for discounts for E:\FR\FM\30JYR3.SGM 30JYR3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations services or equipment that includes both eligible and ineligible components must remove the cost of the ineligible components of the service or equipment from the request for funding submitted to the Administrator. (d) Application filing window. The Wireline Competition Bureau will announce the opening of the Pilot Participant Selection Application Window for participants to submit FCC Form 471 applications. The filing period shall begin and conclude on dates to the determined by the Wireline Competition Bureau. The Wireline Competition Bureau may implement additional filing periods as it deems necessary. ■ 4. Delayed indefinitely, add § 54.2008 to read as follows: khammond on DSKJM1Z7X2PROD with RULES3 § 54.2008 Requests for reimbursement. (a) Submission of request for reimbursement (FCC Form 472 or FCC Form 474). Consistent with the invoicing selection made by the Pilot participant, reimbursement for the costs associated with eligible services and equipment shall be provided directly to the participant, or its service provider(s), seeking reimbursement from the Schools and Libraries Cybersecurity Pilot Program upon submission and approval of a completed FCC Form 472 (Billed Entity Applicant Reimbursement Form) or a completed FCC Form 474 (Service Provider Invoice) to the Administrator. (1) The FCC Form 472 shall be signed by the person authorized to submit requests for reimbursement for the eligible school, library, or consortium and shall include that person’s certification under penalty of perjury that: (i) ‘‘I am authorized to submit this request for reimbursement on behalf of the above-named school, library, or consortium and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this request for reimbursement has been examined and is true, accurate, and complete. I acknowledge that any false statement on this request for reimbursement or on other documents submitted by this school, library, or consortium can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).’’ (ii) ‘‘In addition to the foregoing, the school, library, or consortium is in compliance with the rules and orders governing the Schools and Libraries VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities.’’ (iii) ‘‘By signing this request for reimbursement, I certify that the information contained in this request for reimbursement is true, complete, and accurate, and the expenditures, disbursements, and cash receipts are for the purposes and objectives set forth in the terms and conditions of the federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil, or administrative penalties for fraud, false statements, false claims, or otherwise. (U.S. Code Title 18, sections §§ 1001, 286–287, and 1341, and Title 31, §§ 3729–3730 and 3801–3812).’’ (iv) The funds sought in the request for reimbursement are for eligible services and/or equipment that were purchased in accordance with the Schools and Libraries Cybersecurity Pilot Program rules and requirements in this subpart and received by the school, library, or consortium. The equipment and/or services being requested for reimbursement were determined to be eligible and approved by the Administrator. (v) The non-discounted share of costs amount(s) were billed by the Service Provider and paid in full by the Billed Entity Applicant on behalf of the eligible schools, libraries, and consortia of those entities. (vi) The school, library, or consortium is not seeking Schools and Libraries Cybersecurity Pilot Program reimbursement for the portion of eligible services and/or equipment that have been purchased and reimbursed in full or in part with other Federal, state, Tribal, or local funding or are eligible for discounts from the schools and libraries universal service support mechanism or other universal service support mechanisms. (vii) The school, library, or consortium acknowledges that it must submit invoices detailing the items purchased and received along with the submission of its request for reimbursement as required by paragraph (b) of this section. (viii) The equipment and/or services the school, library, or consortium PO 00000 Frm 00041 Fmt 4701 Sfmt 4700 61321 purchased will not be sold, resold, or transferred in consideration for money or any other thing of value, except as allowed by § 54.2003(b). (ix) The school, library, or consortium acknowledges that it may be subject to an audit, inspection, or investigation pursuant to its request for reimbursement, that it will retain for ten years any and all records related to its request for reimbursement, and will make such records and equipment purchased with Schools and Libraries Cybersecurity Pilot Program reimbursement available at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector General, or any local, state, or Federal agency with jurisdiction over the entity. (x) No kickbacks, as defined in 41 U.S.C. 8701, were paid to or received by the participant, including, but not limited to, their employees, officers, representatives, agents, independent contractors, consultants, family members, and individuals who are on the governing boards, from anyone in connection with the Schools and Libraries Cybersecurity Pilot Program or the schools and libraries universal service support mechanism. (xi) The school, library, or consortium acknowledges that Commission rules provide that persons who have been convicted of criminal violations or held civilly liable for certain acts arising from their participation in the universal service support mechanisms are subject to suspension and debarment from the program. The school, library, or consortium will institute reasonable measures to be informed, and will notify the Administrator should it be informed or become aware that any of the entities listed on this application, or any person associated in any way with this entity and/or the entities listed on this application, is convicted of a criminal violation or held civilly liable for acts arising from their participation in the universal service support mechanisms. (xii) No universal service support has been or will be used to purchase, obtain, maintain, improve, modify, or otherwise support any equipment or services produced or provided by any company designated by the Commission as posing a national security threat to the integrity of communications networks or the communications supply chain since the effective date of the designations. (xiii) No Federal subsidy made available through a program administered by the Commission that provides funds to be used for the capital expenditures necessary for the provision of advanced communications services E:\FR\FM\30JYR3.SGM 30JYR3 khammond on DSKJM1Z7X2PROD with RULES3 61322 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations has been or will be used to purchase, rent, lease, or otherwise obtain, any covered communications equipment or service, or maintain, any covered communications equipment or service, or maintain any covered communications equipment or service previously purchased, rented, leased, or otherwise obtained, as required by § 54.10. (2) The FCC Form 474 shall be signed by the person authorized to submit requests for reimbursement for the service provider and shall include that person’s certification under penalty of perjury that: (i) ‘‘I am authorized to submit this request for reimbursement on behalf of the above-named Service Provider and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this request for reimbursement has been examined and is true, accurate, and complete. I acknowledge that any false statement on this request for reimbursement or on other documents submitted by this Service Provider can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).’’ (ii) ‘‘In addition to the foregoing, the Service Provider is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities.’’ (iii) ‘‘By signing this request for reimbursement, I certify that the information contained in this request for reimbursement is true, complete, and accurate, and the expenditures, disbursements, and cash receipts are for the purposes and objectives set forth in the terms and conditions of the federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil, or administrative penalties for fraud, false statements, false claims, or otherwise. (U.S. Code Title 18, §§ 1001, 286–287, VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 and 1341, and Title 31, §§ 3729–3730 and 3801–3812).’’ (iv) The funds sought in the request for reimbursement are for eligible services and/or equipment that were purchased in accordance with the Schools and Libraries Cybersecurity Pilot Program rules and requirements in this subpart and received by the school, library, or consortium. (v) The Service Provider is not seeking Schools and Libraries Cybersecurity Pilot Program reimbursement for eligible equipment and/or services for which the Service Provider has already been paid. (vi) The Service Provider certifies that the school’s, library’s, or consortium’s non-discount portion of costs for the eligible equipment and services has not been waived, paid, or promised to be paid by this Service Provider. The Service Provider acknowledges that the provision of a supported service or free services or equipment unrelated to the supported equipment or services constitutes a rebate of the non-discount portion of the costs as stated in § 54.2007(d). (vii) The Service Provider acknowledges that it must submit invoices detailing the items purchased and provided to the school, library, or consortium, along with the submission of its request for reimbursement as required by paragraph (b) of this section. (viii) The Service Provider certifies that it is compliant with the Commission’s rules and orders regarding gifts and this Service Provider has not directly or indirectly offered or provided any gifts, gratuities, favors, entertainment, loans, or any other thing of value to any eligible school, library, or consortium, except as provided for in this subpart. (ix) The Service Provider acknowledges that it may be subject to an audit, inspection, or investigation pursuant to its request for reimbursement, that it will retain for ten years any and all records related to its request for reimbursement, and will make such records and equipment purchased with Schools and Libraries Cybersecurity Pilot Program reimbursement available at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector General, or any local, state, or Federal agency with jurisdiction over the entity. (x) No kickbacks, as defined in 41 U.S.C. 8701, were paid by the Service Provider to anyone in connection with the Schools and Libraries Cybersecurity Pilot Program or the schools and PO 00000 Frm 00042 Fmt 4701 Sfmt 4700 libraries universal service support mechanism. (xi) The Service Provider is not debarred or suspended from any Federal programs, including the universal service support mechanisms. (xii) No universal service support has been or will be used to purchase, obtain, maintain, improve, modify, or otherwise support any equipment or services produced or provided by any company designated by the Commission as posing a national security threat to the integrity of communications networks or the communications supply chain since the effective date of the designations. (xiii) No Federal subsidy made available through a program administered by the Commission that provides funds to be used for the capital expenditures necessary for the provision of advanced communications services has been or will be used to purchase, rent, lease, or otherwise obtain, any covered communications equipment or service, or maintain any covered communications equipment or service, or maintain any covered communications equipment or service previously purchased, rented, leased, or otherwise obtained, as required by § 54.10. (b) Required documentation. Along with the submission of a completed FCC Form 472 or FCC Form 474, a participant or service provider seeking reimbursement from the Schools and Libraries Cybersecurity Pilot Program must submit invoices detailing the items purchased and received to the Administrator at the time the FCC Form 472 or FCC Form 474 is submitted. (c) Reimbursement and invoice processing. The Administrator shall accept and review requests for reimbursement and invoices subject to the invoice filing deadlines provided in paragraph (d) of this section. (d) Invoice filing deadline. Invoices must be submitted to the Administrator within ninety (90) days after the last date to receive service, in accordance with § 54.2001(c). (e) Invoice deadline extensions. In advance of the deadline calculated pursuant to paragraph (d) of this section, billed entities or service providers may request a one-time extension of the invoice filing deadline. The Administrator shall grant a ninety (90) day extension of the invoice filing deadline, if the request is timely filed. (f) Choice of payment method. Service providers providing discounted services under this subpart shall, prior to the submission of the FCC Form 471, permit the Schools and Libraries Cybersecurity Pilot Program participant to choose the method of payment for the discounted E:\FR\FM\30JYR3.SGM 30JYR3 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations services from those methods offered by the Administrator, including making a full undiscounted payment and receiving subsequent reimbursement of 61323 the discount amount from the Administrator. [FR Doc. 2024–15866 Filed 7–29–24; 8:45 am] khammond on DSKJM1Z7X2PROD with RULES3 BILLING CODE 6712–01–P VerDate Sep<11>2014 17:01 Jul 29, 2024 Jkt 262001 PO 00000 Frm 00043 Fmt 4701 Sfmt 9990 E:\FR\FM\30JYR3.SGM 30JYR3

Agencies

[Federal Register Volume 89, Number 146 (Tuesday, July 30, 2024)]
[Rules and Regulations]
[Pages 61282-61323]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-15866]



[[Page 61281]]

Vol. 89

Tuesday,

No. 146

July 30, 2024

Part III





Federal Communications Commission





-----------------------------------------------------------------------





47 CFR Part 54





Schools and Libraries Cybersecurity Pilot Program; Final Rule

Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules 
and Regulations

[[Page 61282]]


-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 54

[WC Docket No. 23-234; FCC 24-63; FRS ID 230286]


Schools and Libraries Cybersecurity Pilot Program

AGENCY: Federal Communications Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
(Commission or FCC) stablishes the Schools and Libraries Cybersecurity 
Pilot Program (Pilot or Pilot Program). The Pilot Program will enable 
the Commission to evaluate the impact that using Universal Service Fund 
(USF or Fund) support for eligible cybersecurity services and equipment 
will have on protecting school and library broadband networks and data. 
In so doing, the Commission seeks to address the apparent needs of 
schools and libraries for additional support for cybersecurity services 
and equipment, while evaluating the impact that providing that support 
would have on the USF.

DATES: Effective August 29, 2024, except for amendatory instruction 3 
(adding Sec. Sec.  54.2004, 54.2005, and 54.2006) and amendatory 
instruction 4 (adding Sec.  54.2008), which are delayed indefinitely. 
The Commission will publish a document in the Federal Register 
announcing the effective date for those sections.

FOR FURTHER INFORMATION CONTACT: Kristin Berkland 
[email protected] in the Telecommunications Access Policy 
Division, Wireline Competition Bureau, 202-418-7400 or TTY: 202-418-
0484. Requests for accommodations should be made as soon as possible in 
order to allow the agency to satisfy such requests whenever possible. 
Send an email to [email protected] or call the Consumer and Governmental 
Affairs Bureau at (202) 418-0530.

SUPPLEMENTARY INFORMATION: This is a synopsis of the Commission's 
Schools and Libraries Cybersecurity Pilot Program, Report and Order 
(Order), in WC Docket No. 23-234; FCC 24-63, adopted June 6, 2024, and 
released June 11, 2024. The full text of this document is available at 
the following internet address: https://www.fcc.gov/document/fcc-adopts-200m-cybersecurity-pilot-program-schools-libraries-0.

I. Introduction

    1. As broadband connectivity and internet access have become 
essential for K-12 students and adults alike, the security and safety 
of that access has likewise become paramount. Whether for online 
learning, job searching, or connecting with peers and the community, 
high-speed broadband is critical to educational, professional, and 
personal success in the modern world. Although broadband connectivity 
and internet access can simplify and enhance the education and daily 
lives of K-12 students, school staff, and library patrons, they can 
also be used by malicious actors to steal personal information, 
compromise online accounts, and cause online personal harm or 
embarrassment. In response to the growing importance of cybersecurity 
to broadband connectivity and internet access for K-12 schools and 
libraries, and in light of the increase in cyberattacks to disrupt or 
disable these critical networks, the Commission adopts a three-year 
pilot program within the USF to provide up to $200 million to support 
cybersecurity services and equipment for eligible schools and 
libraries.
    2. The Pilot Program is a critical next step to evaluate whether, 
and to what extent, the Commission should leverage the USF to support 
the cybersecurity needs of schools and libraries. By proceeding via a 
short-term Pilot Program, the Commission can gather key data on the 
types of cybersecurity services and equipment that K-12 schools and 
libraries need to protect their broadband networks and securely connect 
students, school staff, and library patrons to advanced communications 
that are integral to education. The Pilot Program will evaluate whether 
supporting cybersecurity services and equipment with universal service 
funds advances the key universal service principles of providing 
quality internet and broadband services to K-12 schools and libraries 
at just, reasonable, and affordable rates; and ensuring schools' and 
libraries' access to advanced telecommunications. Importantly, the 
Pilot Program will also enable the Commission to better estimate the 
costs of supporting cybersecurity services and equipment via the USF, 
which will help inform future decisions on how to best utilize the USF 
to support the connectivity and network security needs of K-12 schools 
and libraries. Data and information collected through this Pilot 
Program may also aid in the considerations of broader efforts across 
the government to help schools and libraries address their 
cybersecurity concerns. In this regard, the Commission notes that other 
Federal partners, including the Department of Homeland Security's 
Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. 
Department of Education (Education Department), have jurisdiction and 
deep expertise on cybersecurity matters, and the Commission expects 
continued interagency coordination will enable us to leverage their 
knowledge and resources to explore how the Commission can contribute to 
addressing the cybersecurity needs of K-12 schools and libraries.
    3. Eligible schools and libraries will be able to request and 
receive support through the Pilot Program to purchase a wide range of 
qualifying cybersecurity services and equipment that best suit their 
particular needs. To ensure that the Commission is able to select a 
large number of participants for the Pilot Program, it adopts per-
student and per-library budgets, subject to a minimum funding floor, as 
well as an overall funding cap. Additionally, the Commission expects to 
select a diverse cross-section of schools, libraries, and consortia to 
participate in the Pilot Program, with a focus on selecting applicants 
with the greatest need. By selecting a participant pool that reflects 
large, small, urban, rural, and Tribal schools and libraries, the 
Commission expects to gain a better understanding about the 
cybersecurity needs of a wide range of schools and libraries.
    4. In adopting this Pilot Program, the Commission is also mindful 
of the E-Rate program's longstanding goal of promoting connectivity, as 
well as its obligation to be a mindful and prudent steward of the 
Commission's limited universal service funds. To that end, the 
Commission must balance its actions in this proceeding against 
competing priorities, bearing in mind that the universal service funds 
are obtained through assessments collected from telecommunications 
carriers that are typically passed on to and paid for by U.S. 
consumers. The Commission acknowledges that, as a limited-term Pilot 
Program, only a subset of K-12 schools and libraries will likely be 
selected and receive support to defray their cybersecurity-related 
costs. And, with a $200 million budget, the Pilot Program will not be 
able to fund all of the cybersecurity-related needs of the selected 
Pilot participants. The Commission notes that the estimated costs for 
all types of cybersecurity services may exceed the funding available 
for this Pilot Program, and it further notes that the Pilot 
participants will not receive 100% reimbursement, as they will be 
required to pay their non-discount share of the costs of the

[[Page 61283]]

eligible services and equipment. Within this framework, the Commission 
finds that the Pilot Program will serve a vital role in informing the 
Commission, and the broader Federal Government, as to the most pressing 
cybersecurity needs of K-12 schools and libraries, and the associated 
costs, which will enable the Commission and other stakeholders to best 
address these needs on a long-term basis.

II. Discussion

    5. In the Order, the Commission establishes a three-year Pilot 
Program to evaluate whether supporting cybersecurity services and 
equipment with universal service support could advance the key 
universal service principles of providing quality internet access and 
broadband services to K-12 schools and libraries at just, reasonable, 
and affordable rates; and ensuring schools' and libraries' access to 
advanced telecommunications as provided by Congress in the 
Telecommunications Act of 1996 (1996 Act). Specifically, the Commission 
first adopts a three-year Pilot timeframe and $200 million cap to 
support cybersecurity services and equipment, including advanced 
firewalls, for eligible schools and libraries, and consortia of 
eligible schools and libraries, using the Connected Care Pilot Program 
as a model. Second, the Commission establishes per-student and per-
library budgets to specify the amount of funding that Pilot 
participants can receive and ensure funding can be widely disbursed. 
Next, the Commission confirms that all eligible schools and libraries, 
including those that do not currently participate in the E-Rate 
program, are eligible to apply to participate in the Pilot Program. The 
Commission then adopts a Pilot eligible services list that specifies 
the cybersecurity services and equipment that will be eligible for 
Pilot funding, and an application process that mirrors the E-Rate 
program and through which it can select a broad pool of participants. 
In addition, the Commission establishes Pilot Program rules and 
procedures for all phases of the Pilot, including competitive bidding, 
requesting funding, and invoicing/reimbursement. These Pilot rules and 
procedures draw on its experience administering the E-Rate and 
Emergency Connectivity Fund (ECF) programs and will promote efficient 
program administration and reduce burdens on Pilot participants. The 
Commission also appoints an Administrator of the Pilot and adopt 
program integrity protections, including document retention and 
production, gift, certification, audit, and suspension and debarment 
rules, consistent with its responsibility to be a careful steward of 
the limited USF dollars. The Commission then adopts Pilot performance 
goals and data reporting requirements to help us assess the costs and 
benefits of using the limited universal service funds to support the 
cybersecurity needs of K-12 schools and libraries, and establish appeal 
and waiver request rules to provide recourse for parties aggrieved by 
decisions of the Pilot Program Administrator. Lastly, the Commission 
concludes that the Commission has legal authority to establish a Pilot 
Program that provides USF support for cybersecurity services and 
equipment to eligible schools and libraries and that the requirements 
of the Children's internet Protection Act (CIPA) are triggered by the 
purchase of eligible services or equipment through the Pilot.
    6. Pilot Program Timeframe. The Commission first adopts a Pilot 
Program duration of three years. In the Cybersecurity Notice of 
Proposed Rulemaking (NPRM), 88 FR 90141, December 29, 2023, the 
Commission sought comment on its proposed three-year term for the Pilot 
Program. The Commission sought comment specifically to understand 
whether (i) the proposed length of the program would be sufficient to 
provide the Commission with data to evaluate how effective the Pilot 
funding is in protecting K-12 schools and libraries, and their 
broadband networks and data, from cybersecurity threats and attacks; 
(ii) if it would be feasible to shorten the Pilot without compromising 
the integrity of the data collected; and (iii) if it should provide 
additional time for participants to prepare for the Pilot or for the 
Commission to evaluate the data at the conclusion of the Pilot.
    7. While several commenters support the proposed Pilot duration of 
three years, many advocated for a shortened Pilot duration of either 
one year or eighteen months. Commenters supporting a shorter Pilot 
timeframe offered four main reasons for doing so. First, commenters 
argued that a three-year Pilot would render the data collected on 
cybersecurity services and equipment used to combat cybersecurity 
threats and attacks obsolete by the conclusion of the Pilot Program. 
Second, commenters advocated that a shorter program would allow the 
Commission to evaluate Pilot data in time to align with the next E-Rate 
category two budget cycle (i.e., funding years (FY) 2026 through FY 
2030). Third, commenters argued for a shorter duration on the grounds 
that applicants who were not selected to participate in the Pilot would 
be required to wait over three years to potentially receive funding to 
combat cybersecurity threats and attacks. Finally, commenters 
recommended a shorter Pilot term or, alternatively, a higher cap, in 
order to increase the number and diversity of participants.
    8. A three-year Pilot Program will give the Commission the time to 
evaluate whether universal service support should be used to fund 
cybersecurity services and equipment on a permanent basis and the 
Commission adopts a program duration of three years for the Pilot. In 
establishing the Connected Care Pilot Program, the Commission concluded 
that a three-year pilot program was ``reasonable and [would] allow the 
Commission to obtain sufficient, meaningful data from the selected 
pilot projects'' and the Commission finds the same reasoning applies 
here. As a responsible steward of the limited USF, the Commission is 
obliged to carefully evaluate any actions that would expand demands on 
the Fund. This is particularly important where, as here, the Commission 
is exploring whether to make funding available to support services and 
equipment not previously covered, and where other resources may be 
available. Given record estimates regarding what it could cost to fund 
a complete suite of cybersecurity services and equipment, the 
Commission thinks it is imperative to carefully consider the potential 
benefits--and burdens--before deciding whether to move forward with 
such funding on a wider scale or permanent basis. The Commission 
believes that a three-year term will enable us to gather the necessary 
information.
    9. The Commission recognizes there is a tradeoff between learning 
more from the Pilot and moving quickly to potentially expand support to 
protect K-12 schools' and libraries' broadband networks and data from 
cybersecurity threats and attacks. While some commenters suggested 
setting a one-year to eighteen-month term, in part to align with the 
next category two budget cycle, the Commission declines to do so. A 
shorter term would hamper the Commission's ability to evaluate the use 
of universal service funds to fund cybersecurity equipment and 
services, particularly given the expected lead time for schools and 
libraries to implement a cybersecurity solution and unknowns around the 
evolving threat of potential cybersecurity attacks. Moreover, the 
Commission notes that it would be challenging to align the conclusion 
of the Pilot with the next category two budget cycle in any event, 
given the time needed to evaluate

[[Page 61284]]

lessons learned from the Pilot and the proceedings needed to implement 
any permanent funding stream for cybersecurity services and equipment. 
Additionally, the Commission disagrees with commenters that a three-
year term would render any potential solutions or analysis obsolete. 
Given the flexibility the Commission provides to Pilot participants to 
select and modify the cybersecurity services and equipment they choose 
over the three-year period, the Commission expects that participants 
will be able to quickly adapt to changes in cybersecurity threats or 
attacks, or the availability of new cybersecurity solutions. 
Additionally, given the reporting requirements adopted herein, the 
Commission expects to keep pace with lessons learned from the Pilot as 
data is provided which, in turn, will help facilitate its analysis and 
determination of next steps. Finally, the Commission disagrees with 
commenters who suggest it shorten the Pilot term or allocate additional 
funding in order to fund a greater or wider array of participants. The 
Commission believes the $200 million cap will allow it to provide 
sufficient support to a wide cross-section of Pilot participants; thus, 
the benefits to retaining the proposed three-year time frame are 
greater than the benefits of a shorter duration.
    10. Pilot Program Cap. The Commission also adopts a Pilot Program 
funding cap of $200 million over three years for the Pilot Program. In 
the Cybersecurity NPRM, the Commission sought comment on whether (i) a 
cap of $200 million would be sufficient to obtain meaningful data about 
how this funding would help to protect schools' and libraries' 
broadband networks and data and improve their ability to address K-12 
cyber risks; (ii) if a lower cap would be sufficient for these purposes 
(e.g., $100 million); and (iii) how the total Pilot Program cap should 
be distributed over the three-year funding period in a way that 
accounts for participants' spending needs while ensuring predictable 
funding over the three-year term.
    11. Several commenters agree that the proposed $200 million funding 
cap is sufficient to fund a wide range of Pilot participants over a 
three-year period. Others suggested a higher amount in order to provide 
funding to a larger number of Pilot participants. Having reviewed the 
record in its entirety, the Commission adopts the proposed $200 million 
funding cap for the Pilot Program. For its goal of obtaining meaningful 
information on how this Pilot could help protect schools' and 
libraries' broadband networks and data, and improve their ability to 
address K-12 schools' and libraries' cybersecurity risks, as discussed 
in the Order, the Commission believes the proposed cap of $200 million 
over three years will be sufficient.
    12. To provide funding for the Pilot, and to minimize the impact on 
the contribution factor, the Commission will assign unused E-Rate funds 
from prior funding years to cover the full $200 million cap. In 2023, 
the Wireline Competition Bureau (Bureau) found that unused funds from 
prior funding years were available for use in funding year 2023 and 
directed the USF Administrator, the Universal Service Administrative 
Company (USAC), to fully fund year 2023 demand, and to reserve an 
additional $190 million of carry forward funds for future use. 
Similarly, in 2024, the Bureau directed USAC to reserve $10 million of 
the available $500 million of carry forward funds for future use. With 
the Order, the Commission assigns that $200 million of carry forward 
funding to offset the collection requirements for the Pilot, thereby 
reducing any potential increase on the contribution factor. In the 
Cybersecurity NPRM, the Commission sought comment on other approaches 
that could be used to fund the Pilot, aside from directing USAC to 
separately collect the needed funds. No commenter addressed these 
approaches. Making use of carry forward funding in this way is 
consistent with its responsibility to be a careful steward of the USF, 
while at the same time allowing the Commission to respond to the need 
for additional cybersecurity funding for K-12 schools and libraries. 
This approach is consistent with how the E-Rate and other USF programs 
are administered.
    13. The Commission next adopts fixed per-student and per-library 
budgets to determine the amount of funding that participants may 
receive during the Pilot. In the Cybersecurity NPRM, the Commission 
sought comment on how to evaluate funding requests and whether to 
establish a maximum amount of funding that an individual participant 
could receive. Among other things, the Commission sought comment on 
whether providing a larger amount of funding to a smaller number of 
participants, or a smaller amount of funding to a greater number of 
participants, would best enable us to assess the use of the USF for 
cybersecurity services and equipment. In particular, the Commission 
sought comment on whether it should establish a per-student budget, 
with a corresponding budget for libraries, as well as the data sources 
and cost information that would be appropriate to use in evaluating 
funding requests. Additionally, the Commission sought comment on 
whether it should require Pilot participants to contribute a portion of 
the eligible costs of cybersecurity services and equipment in order to 
receive funding. The Commission further proposed to apply a 
participant's category two discount rate to calculate the non-
discounted share of costs for the Pilot Program, but also sought 
comment on requiring participants to instead contribute a fixed 
percentage of the costs of the cybersecurity services and equipment 
purchased. Finally, the Commission sought comment on whether a 
participant should receive its funding commitment in equal 
installments, or whether there may be reasons why a Pilot participant 
may need access to a greater amount earlier during the three-year term.
    14. A 2021 cost study submitted jointly by Funds For Learning, LLC 
(FFL), the Consortium for School Networking (CoSN), and others 
estimated it would cost approximately $13.60 per student annually to 
support advanced or next-generation firewall services, $16.20 per 
student annually to support endpoint security and protection, and 
$14.50 per student annually to support additional, advanced 
cybersecurity services and equipment. Rubrik, Inc. (Rubrik), in its 
comments, stated it would be reasonable to establish a funding maximum 
for individual entities of $1 million to $2 million. Based on its 
review of the cost estimates submitted by commenters, and consistent 
with its goal to provide funding to a wide variety of participants, as 
discussed in the Order, the Commission adopts fixed budgets to 
determine the amount of funding that a Pilot participant can receive. 
While these budgets, including associated maximums and floors, are 
specified in terms of annualized dollar amounts, participants' expenses 
are capped based on the full three-year duration of the Pilot and not 
on an annual basis. Thus, Pilot participants may request reimbursement 
for expenses as they are incurred even if it means that the amount of 
funding disbursed to a participant in a given year of the program 
exceeds their annual budget, so long as the total amount disbursed to a 
participant over the three-year term does not exceed three times that 
annual budget. In establishing these budgets, which account for the 
estimated costs of different types of advanced cybersecurity solutions, 
the Commission expects to provide a meaningful benefit to a substantial 
number of schools, libraries, and consortia. In

[[Page 61285]]

implementing this approach, the Commission declines to award support 
based on a percentage of a participant's category one or category two 
budget, as suggested by some commenters. The Commission finds that a 
more tailored approach, grounded in the estimated cost of implementing 
specific types of cybersecurity solutions, would best achieve its goals 
in a targeted and cost-effective manner. Furthermore, the Commission 
notes that because it does not limit Pilot participation to current E-
Rate applicants, it would be difficult to implement an approach based 
on category one or category two budgets. When implementing these 
budgets, the Commission will categorize Pilot applicants and consider 
their funding needs in combination with their applicant type, as 
discussed in greater detail below.
    15. Schools and School Districts. Schools and school districts will 
be eligible to receive up to $13.60 per student, annually, on a pre-
discount basis, to purchase eligible cybersecurity services and 
equipment over the three-year Pilot duration. The Commission finds that 
a pre-discount annual budget of $13.60 per student strikes an 
appropriate balance between supporting the various types of 
cybersecurity services and equipment needed to protect school networks 
and data, and its desire to provide funding to as many schools and 
school districts as possible in the limited-term Pilot Program. 
Additionally, the Commission notes that this per-student annual budget 
is sufficient to support the majority of the total annual costs related 
to any one of the three types of security measures FFL and CoSN 
identified in their cost estimate, and is also consistent with the 
Commission's analysis in the First 2014 E-Rate Order, 80 FR 167, 
January 5, 2015, that established per-student budgets for category two 
equipment and services.
    16. The Commission recognizes that for many schools a pre-discount 
annual budget of $13.60 will not, by itself, be sufficient to fund all 
of the school's cybersecurity needs to achieve a fully mature 
cybersecurity posture, as doing so would typically require a school to 
implement multiple categories of technical solutions, often in a 
specific priority order. Given the limited Pilot funding available, its 
approach instead ensures that each participating school will receive 
funding to prioritize implementation of solutions within one major 
technological category requested by commenters, enabling the school to 
make meaningful progress toward its own cybersecurity goals and 
providing flexibility for schools with differing cybersecurity 
strengths and vulnerabilities. The Commission finds that this approach 
ensures that each participant can make meaningful, incremental progress 
towards its own cybersecurity goals, and best positions the Commission 
to assess the benefits that accrue from funding individual 
cybersecurity solutions, consistent with a core objective of the Pilot. 
The Commission also finds that this approach represents a strategic and 
cost-effective way to spend the limited Pilot funds in the context of 
considering future changes to the E-Rate program, as it creates 
incentives for each school to select the most impactful incremental 
solutions available to it in view of the school's specific 
cybersecurity vulnerabilities and strengths.
    17. Schools and school districts selected for the Pilot Program 
will be eligible to receive, at a minimum, $15,000 in annual support, 
on a pre-discount basis, over the three-year Pilot duration. The 
Commission establishes this funding floor to ensure that even the 
smallest schools and school districts can receive support sufficient to 
purchase a variety of cybersecurity services and equipment. The 
Commission sets the annual funding floor at $15,000, pre-discount, 
because it aligns with the annual cost estimate submitted by FFL and 
CoSN, which found that that the approximate per-site annual cost for 
advanced firewalls is $15,994. The Commission notes that a pre-discount 
$13.60 per-student budget equates to approximately 1,100 students in a 
school or school district receiving $15,000 in support. As a result, 
schools and school districts with 1,100 students or fewer will be 
eligible to receive the pre-discount $15,000 annual funding floor. The 
Commission also establishes an annual budget maximum of $1.5 million, 
pre-discount, which equates to approximately 110,000 students, using 
the pre-discount $13.60 per-student budget. As a result, schools and 
school districts with more than 1,100 students, and up to approximately 
110,000 students, will calculate their budget using the pre-discount 
$13.60 per-student multiplier. Schools and school districts with more 
than 110,000 students will be subject to the annual budget maximum of 
$1.5 million, over the three-year Pilot duration. The Commission finds 
that a $1.5 million annual maximum reflects the greater purchasing 
power of larger schools, school districts, and consortia, and the 
associated reduction in the cost-per-student amount. Additionally, the 
Commission establishes the annual budget maximum to best ensure that 
Pilot funds are able to support cybersecurity services and equipment 
for as many participants as possible, and also to ensure that a 
disproportionate amount of funding is not awarded to any one 
participant.
    18. Libraries and Library Systems. Rather than adopt a per-user 
budget, as the Commission has for schools and school districts, or a 
budget based on library square footage as it does for category two E-
Rate funding requests, it adopts a budget that provides a set amount of 
funding per library to purchase cybersecurity services and equipment. 
In particular, the Commission establishes a pre-discount annual budget 
of $15,000 per library up to 11 libraries/sites, consistent with its 
analysis regarding the per-site funding amount needed to support 
advanced firewalls. Library systems with more than 11 libraries/sites 
will be eligible for support up to $175,000 annually, pre-discount, 
which approximately reflects the cost of providing advanced firewalls 
to an entity with between 10 and 24 locations. The Commission believes 
using a per-site methodology and funding caps for calculating library 
budgets is more appropriate than using library square footage, as it 
does for E-Rate category two funding requests, because costs for 
cybersecurity services and equipment do not scale with square footage 
in the same way as they do for building internal Wi-Fi networks. The 
Commission also finds that the pre-discount budgets established for 
libraries and library systems are generally consistent with how funding 
is allocated in the E-Rate program to cover the majority of the cost of 
supported services and equipment, and strike a balance between funding 
a baseline amount needed to procure cybersecurity services and 
equipment, and ensuring that the Pilot Program is able to support as 
many participants as possible.
    19. Consortia. Consortia participants comprised of eligible schools 
and libraries will be eligible to receive funding based on student 
count (using the annual pre-discount $13.60 per student multiplier and 
$1.5 million, pre-discount, annual cap) and the number of library sites 
(using the pre-discount $15,000 per library annual budget up to 11 
libraries/sites and the $175,000, pre-discount, annual cap). Consortia 
that are solely comprised of schools will be subject to the pre-
discount annual $1.5 million budget maximum applicable to schools. 
Consortia that are solely comprised of libraries will be subject to the 
pre-discount $175,000 annual budget maximum for library systems. 
Consortia comprised of both eligible

[[Page 61286]]

schools and libraries will be subject to the pre-discount $1.5 million 
annual budget maximum applicable to schools. The Commission finds these 
budget maximums are an important mechanism to ensure that Pilot funding 
is widely disbursed. The Commission will also require each consortium 
to select a consortium leader.
    20. Non-discount Share of Costs. The Commission will require 
participants to contribute a portion of the costs of the cybersecurity 
services and equipment they seek to purchase with Pilot Program 
support, similar to the non-discount share that E-Rate applicants are 
required to contribute to the cost of their eligible services and 
equipment. The Commission agrees with the Dallas Independent School 
District that requiring participants to contribute some portion of the 
costs of eligible services and equipment, as it has in E-Rate, will be 
``successful in aligning the interests of applicants to minimizing 
waste, fraud, and abuse.'' In the Cybersecurity NPRM, the Commission 
proposed using a participant's category two discount rate to determine 
the portion of costs a participant will be required to contribute. The 
Commission establishes in the Order, instead, that participants will 
use their category one discount rate to determine the non-discount 
share of costs. Thus, participants with the students with the greatest 
need will be eligible for support for 90 percent of their costs, and 
will be required to contribute 10 percent of the cost of eligible 
cybersecurity services and equipment purchased with Pilot funds. By 
using the category one discount rate, the program's neediest schools 
and libraries will have greater flexibility in selecting eligible 
services and equipment, thus supporting its goal to evaluate the 
benefits of supporting advanced firewalls and cybersecurity services 
using the USF. Furthermore, the category one discount rate is 
appropriate, as Pilot funds will be used to enhance the protection of 
the broadband networks, including those funded from the E-Rate 
program's category one. The Commission finds that this approach is 
preferable to establishing a uniform contribution percentage like the 
one adopted for the Connected Care Pilot Program because it equitably 
accounts for the relative need of the participant. Moreover, most, if 
not all, Pilot applicants and participants--including large state or 
regional consortia--are already familiar with the use of discount rates 
in the E-Rate program.
    21. Disbursement of Support. The Commission will permit Pilot 
participants to request reimbursement as expenses are incurred, even if 
it means that a greater amount of funding is disbursed earlier in the 
three-year Pilot term than is specified by its annual budgets, so long 
as the overall disbursement to a participant over the course of the 
three-year Pilot term does not exceed three times the annual budget. In 
doing so, the Commission acknowledges that some participants may face 
greater up-front costs for the services and equipment needed to 
implement their cybersecurity plans, whereas others may have ongoing 
recurring costs, or some combination of both. The Commission agrees 
with Cisco that it should not adopt a ``static'' funding approach, as 
well as with Palo Alto Networks, Inc. that a flexible approach would 
``ensure a stronger runway for the deployment and configuration of 
eligible solutions and products under the Pilot.'' However, the 
Commission declines to adopt the recommendation of Advanced Technology 
Academic Research Center Cybersecurity Higher Education and Workforce 
Development Working Group that it abandon its traditional reimbursement 
structure to provide ``seed'' money at the outset of the Pilot. The 
reimbursement process the Commission adopts here is consistent with the 
reimbursement processes used in the E-Rate and other universal service 
programs and, combined with the requirement that Pilot participants 
contribute some amount of their own money towards the cost of eligible 
services and equipment, serves as an important backstop for 
safeguarding the integrity of the Pilot Program. Moreover, while the 
Commission is mindful of the importance of establishing a predictable 
cap that minimizes the contribution burden on consumers, it expects 
that the limited nature of the Pilot cap relative to the overall size 
of the Fund, as well as its planned use of the reserved $200 million in 
carry forward funding, will minimize any burden to the overall Fund for 
any given quarter.
    22. Pilot Benefits will Exceed Costs. The Commission expects the 
benefits of the Pilot Program to exceed the costs. As a threshold 
matter, the Commission notes that program participation by applicants, 
participants, and service providers is voluntary, and it expects that 
Pilot participants will carefully weigh the benefits, costs, and 
burdens of participation to ensure that the benefits outweigh their 
costs. The Pilot will also enable us to evaluate the estimated economic 
benefits of using universal service support for cybersecurity services 
and equipment, compared to its cost to the Fund. In this regard, the 
Commission notes that, according to the Federal Bureau of 
Investigation's internet Crime Complaint Center, the U.S. population, 
including U.S. territory residents, incurred an estimated $10.9 billion 
in losses from cybercrime in 2023. Based on a 2023 U.S. population of 
335 million, this equates to a per-capita loss of about $32.50 per 
person from cybercrime. The Pilot Program caps support at a pre-
discount, annual level of $13.60 per student for most schools and 
school districts. If the Pilot can reduce the annual monetary cost of 
cyberattacks on participating K-12 schools by at least 42 percent, the 
expected economic benefits of increased cybersecurity would exceed the 
per-student funding costs. The Commission expects that there may be 
additional benefits that cannot be easily quantified, such as a 
reduction in learning downtime caused by cyberattacks, reputational 
benefits from increased trust in school and library systems, increased 
digital and cybersecurity literacy among students and school staff, and 
the safeguarding of intellectual property. Despite these benefits, the 
Commission is also concerned about the overall cost to the Fund if it 
were to provide cybersecurity funding to all E-Rate participants, which 
CoSN estimates could cost the Fund $2.389 billion annually. This 
limited Pilot Program will therefore enable the Commission to evaluate 
the benefits of using universal service funding to fund cybersecurity 
services and equipment against the costs before deciding whether to 
support it on a permanent basis.
    23. The Commission next make eligibility for participation in the 
Pilot Program open to all eligible schools and libraries, including 
those that do not currently participate in the E-Rate program. In the 
Cybersecurity NPRM, the Commission sought comment on the types of 
entities that should be eligible to participate in the Pilot Program. 
The Commission observed that a wide array of entities participate in 
the E-Rate program, and sought comment on how to ensure that the Pilot 
likewise has a diverse participant pool. Specifically, the Commission 
asked whether: (i) eligibility should be limited to schools and 
libraries currently participating in the E-Rate program; (ii) 
eligibility should be expanded to include schools and libraries that do 
not currently participate in the E-Rate program; or (iii) eligibility 
should include any entity that qualifies for funding through the E-Rate 
program. The Commission proposed to adopt the same definitions for 
schools and libraries as used in the E-Rate

[[Page 61287]]

program, when determining the eligibility of Pilot participants.
    24. Commenters generally supported leveraging the E-Rate program 
rules to determine the types of entities that should be eligible to 
participate in the Pilot Program, with at least a few encouraging the 
Commission to limit eligibility to existing E-Rate applicants. For 
example, The Internet & Television Association (NCTA) argued that 
limiting eligibility to existing E-Rate participants was appropriate 
``since [Pilot] cybersecurity services will be integrated with the 
connectivity being purchased pursuant to the E-Rate program.'' Several 
commenters urged the Commission to make consortia eligible, consistent 
with the E-Rate program. These commenters noted that consortia ``can 
provide valuable services at scale,'' which would allow the Commission 
to ``stretch the limited proposed Pilot funding and increase the impact 
to more students and schools.'' Others suggested that it expand 
eligibility to include local and other government entities and 
Educational Service Agencies (ESAs).
    25. The Commission has determined that it will permit all eligible 
schools and libraries, including those that do not currently 
participate in the E-Rate program, to apply to participate in the 
Pilot. The Commission adopts the definitions of elementary school, 
secondary school, library, and library consortium contained in Final 
Rules section of the Order, which mirror the definitions that it uses 
for the E-Rate program. In taking these steps, the Commission declines 
to adopt suggestions from commenters that it limit Pilot eligibility to 
only those schools and libraries that currently participate in the E-
Rate program. The Commission observes that all schools and libraries 
currently face increased cybersecurity threats and attacks regardless 
of whether they receive E-Rate funding and opening the Pilot Program to 
all eligible schools and libraries will allow us to gather data from 
the widest range of eligible participants. While the Commission 
appreciates the concern raised by NCTA and others that the Pilot should 
focus on protecting E-Rate-funded networks, it believes that, on 
balance, opening the Pilot Program to a wider pool of participants 
would best ensure that it has sufficient data to evaluate the impact of 
universal service support on the purchase of cybersecurity services and 
equipment both now and in the future. Given the large percentage of 
eligible schools that participate in the E-Rate program, the Commission 
anticipates that the overwhelming majority of Pilot participants will 
also be E-Rate participants.
    26. Consistent with the Commission E-Rate rules, it further 
clarifies that it will also permit eligible schools and libraries that 
apply as a consortium to participate in the Pilot Program. The 
Commission agrees with commenters that consortia have buying power that 
can help bring down costs and that including consortia in the Pilot 
would allow larger, better-resourced schools and libraries to partner 
with smaller, less technically savvy participants. Given the limited 
funding for the Pilot Program and the Commission's objective to select 
as many participants as possible, it will allow a school or library to 
apply and participate only once in the Pilot Program, either 
individually or as part of a consortium. The Commission declines to 
extend eligibility to local and other governmental entities, including 
ESAs, or other entities that are not an eligible school or library as 
defined in Sec.  54.2000 of the Commission's rules adopted. However, 
non-eligible entities, including local, state, and Tribal governmental 
entities, and other not-for-profit organizations may serve as a 
consortium leader for a consortium participant in the Pilot, but as in 
the Rural Health Care, E-Rate, and Connected Care Pilot programs, will 
be ineligible to receive Pilot benefits, discounts, and funding, and 
therefore must pass through the benefits, discounts, and support to the 
eligible school and library consortium members. While the Commission 
recognizes that local governmental entities may provide economies of 
scale or cybersecurity expertise that would benefit schools and 
libraries, the E-Rate and Rural Health Care programs direct USF support 
to schools, libraries, and health care providers, pursuant to sections 
254(c)(3) and 254(h) of the Communications Act of 1934, as amended (the 
Act). As its legal authority for the Pilot stems from the same source, 
the Commission declines to expand Pilot eligibility to include 
governmental and other entities that would be ineligible under the E-
Rate or Rural Health Care programs; however, it recognizes the 
expertise and value of these entities by allowing them to serve as 
ineligible consortium leaders that pass through the benefits, 
discounts, and support from the Pilot Program to their eligible school 
and library consortium members. The Commission directs the Bureau and 
USAC to provide additional training and guidance on creating a Pilot 
consortium and serving as a consortium leader in the Pilot. The 
Commission also directs the Bureau and USAC to establish measures to 
prevent eligible schools and libraries from receiving duplicative Pilot 
support as individual Pilot participants and as Pilot consortium 
members.
    27. The Commission adopts a Pilot Eligible Services List (P-ESL) 
which specifies eligible cybersecurity services and equipment for the 
Pilot. In the Cybersecurity NPRM, the Commission sought comment on the 
``equipment and services . . . that should be made eligible to 
participants in the Pilot'' and on whether it should specify eligible 
services and equipment using ``general criteria'' or a ``list of 
specific technologies.'' Based on the record, the Commission adopts a 
flexible approach for the P-ESL as it deems services and/or equipment 
eligible if they ``constitute a protection designed to improve or 
enhance the cybersecurity of a K-12 school, library, or consortia.'' At 
the same time, the Commission provides applicants with specificity and 
clarity in practical terms in the P-ESL, as it enumerates as eligible, 
in a non-limiting manner, four general categories of technology raised 
by commenters as effective in combatting cyber threats, namely, (i) 
advanced/next-generation firewalls; (ii) endpoint protection; (iii) 
identity protection and authentication; and (iv) monitoring, detection, 
and response. Moreover, for each of these categories, the Commission 
provides a non-exhaustive list of examples of eligible services and 
equipment in the P-ESL. Through the list of examples, the Commission 
confirms that the wide range of services and equipment it had proposed 
for inclusion in the Cybersecurity NPRM, or that commenters had 
otherwise requested, are eligible. The Commission designates the 
eligible services and equipment for the duration of the Pilot through 
the P-ESL. The Commission also delegates authority to the Bureau, as 
needed, to clarify and make technical changes to the P-ESL consistent 
with the standards it established herein, to promote efficient program 
administration and account for technological evolution.
    28. The Commission agrees with commenters who opine that Pilot 
participants should have flexibility to determine which solutions best 
serve their needs by basing eligibility on broader considerations, 
rather than a specific and potentially rigid set of pre-authorized 
components. Its approach is consistent with Rubrik's view that it 
``provide general guidance for applicants, but not lock them into 
specific technology products.'' Its approach also includes as eligible 
the advanced or next-generation firewalls,

[[Page 61288]]

endpoint security and protection, and other advanced security services 
and equipment identified by E-Rate stakeholders, including FFL and 
CoSN. At the same time, by enumerating four non-limiting categories of 
eligible technology, the Commission finds that its approach also meets 
the recommendations of commenters that it ``establish general 
categories of eligible offerings'' without ``specify[ing] the precise 
technologies or solutions that must be relied upon'' and allow 
``[p]ilot participants to select any product and/or services that fall 
into any of the eligible categories.'' Its approach also ensures that 
most, if not all, of the cybersecurity services and equipment needed to 
implement recommendations from the CISA K-12 Cybersecurity Report, the 
Education Department K-12 Digital Infrastructure Briefs, and other 
Federal resources and guides are eligible while still allowing Pilot 
participants significant flexibility to determine the extent to which 
any of these specific measures would be most cost-effective for them to 
implement. While the Commission declines to make these or other Federal 
recommendations the sole basis for determining eligibility for the 
purposes of the Pilot, it strongly encourages all participants to 
consider these Federal recommendations, particularly those that can be 
implemented at little or no cost, as part of their assessment of which 
services and equipment to request to be funded through the Pilot. The 
Commission directs the Bureau to identify these Federal 
recommendations, and it directs the Bureau and USAC to facilitate 
access to these recommendations by including information related to 
them on relevant program websites and in training materials that each 
entity makes available to Pilot participants. The Commission further 
directs the Bureau and USAC to periodically update the information 
provided on their respective websites and in the training materials to 
reflect relevant updates to the recommendations that may issue during 
the duration of the Pilot.
    29. The Commission finds that specifying eligibility based on 
broader considerations is appropriate in the context of a Pilot that 
aims to study the effectiveness of a wide variety of technological 
solutions. The Commission further finds that its approach, in which it 
declines to attempt to exhaustively list every possible technological 
category or eligible service or piece of equipment within a category, 
is reasonable and reflects the rapidly-changing nature of the technical 
solutions available to address cybersecurity threats and attacks. Its 
approach also ensures that services or equipment are not deemed 
ineligible merely because the service provider or equipment-maker uses 
a label or term to describe it that is not specifically enumerated in 
the P-ESL. To provide participants with further flexibility, and in 
view of a lack of consensus around the terminology used to describe 
similar cyber solutions, the Commission makes eligible both the 
specific services and equipment identified in the P-ESL, as well as 
ones that have ``substantially similar features or their equivalents.'' 
The Commission also makes eligible security updates and patches, which 
will help to ensure that participants are protected even as threat 
vectors evolve over the course of the Pilot. The Commission finds that 
this will help to ensure that the services and equipment funded through 
the Pilot do not reach their end of useful life prematurely, thus 
avoiding waste in the Pilot Program. Finally, consistent with the 
flexible approach the Commission adopts, it clarifies that applicants 
are permitted to seek funding for multi-year licenses for eligible 
recurring services that are longer than three years, however, only 
services delivered within the Pilot Program period can be reimbursed 
using Pilot funds. Similarly, the costs of eligible services that will 
be incurred during the Pilot Program period are eligible, subject to 
compliance with procurement requirements and limitations on duplicative 
funding, even if prior years' costs were paid with another funding 
source.
    30. The Commission further finds its approach strikes a reasonable 
balance between specifying basic limits on the scope of eligible 
services and equipment, which reflects the limited funding available 
for the Pilot and the need to safeguard Pilot funds from being used on 
components unrelated to Pilot objectives, while providing participants 
with clarity and significant flexibility to address their unique 
cybersecurity threat profiles, which they are ultimately in the best 
position to assess. Moreover, its enumeration of four key categories of 
technology, and specific services and equipment within each area, 
ensures that USAC will be positioned to expediently conduct program 
integrity and service reviews and quickly issue funding decisions for 
the eligible Pilot Program services and equipment.
    31. The Commission clarifies that its inclusion of a given 
technological category, equipment, or service in the P-ESL and/or any 
subsequent determination by the Bureau that a specific piece of 
equipment or service is eligible in the Pilot Program, is not an 
endorsement by the Commission, the Bureau, or USAC that the equipment 
or service is sufficiently cost- or technologically-effective for its 
intended purpose (e.g., in preventing a breach, a loss of data, or 
other harm). Rather, the Commission expects participants to select 
equipment and services from among those that are eligible based on 
their own assessments of cost-effectiveness in addressing their 
specific needs. Accordingly, a participant may not rely on eligibility 
determinations made by the Commission or the Bureau in the Pilot as a 
defense or safe harbor should it experience a cyber incident, including 
a breach, a data loss, or other harm. Moreover, the Commission 
clarifies that the services and equipment listed in the P-ESL are 
eligible only when they are used on or as a part of a participant's 
school or library broadband network that directly furthers its 
educational mission. The Commission finds this clarification 
appropriate to ensure that it can satisfy the statutory purpose of the 
E-Rate program, as well as its goal of measuring the costs associated 
with cybersecurity services and equipment. The Commission also declines 
to limit eligible services and equipment for the Pilot to those that 
are used on E-Rate-funded broadband networks only. The Commission finds 
this step reasonable given that Pilot participants are not limited 
solely to current applicants in the E-Rate program.
    32. In the Cybersecurity NPRM, the Commission sought comment on 
whether to make advanced and next-generation firewalls eligible for the 
Pilot and, if so, how to define the scope of these terms. The 
Commission adopts this proposal to enable Pilot participants to protect 
their networks from outside cyber attackers by blocking malicious or 
unnecessary network traffic. For purposes of the Pilot, the Commission 
defines an ``advanced'' or ``next-generation'' firewall as ``equipment, 
services, or a combination of equipment and services that limits access 
between networks, excluding basic firewall services and components that 
are currently funded through the E-Rate program.'' This definition is 
reflected in the P-ESL.
    33. The Commission agrees with the vast majority of commenters that 
advanced or next-generation firewalls are a logical starting point and 
an important tool to include in the Pilot as it studies the potential 
use of universal service funding to protect eligible schools and 
libraries from cybersecurity threats and attacks. The Commission

[[Page 61289]]

also agrees that making these tools eligible in the Pilot will provide 
the Commission with a stronger understanding of the technical benefits 
and cost implications of potentially funding these tools in the broader 
E-Rate program. While no commenter directly opposed the view that 
advanced and next-generation firewalls could meaningfully improve 
security postures, a few commenters opined that the associated funding 
could be used more effectively in other ways, including to fund 
training of ``staff and end-users.'' The Commission disagrees with 
these commenters and find that funding advanced and next-generation 
firewalls is justified in light of the Commission's previous findings 
establishing the value of these technologies, and it finds it 
reasonable to extend Pilot funding to these tools rather than to fund, 
e.g., training more broadly than described further below or the less-
vetted alternatives raised by commenters. The Commission further finds 
that the funding of specific advanced firewall technologies will 
provide more quantifiable and tractable benefits compared with funding 
broad cybersecurity training programs, based on undetermined materials 
and methods.
    34. However, the Commission does agree that funding some level of 
training will help to ensure that the Pilot-funded equipment and 
services are used effectively and for maximum benefit. Accordingly, it 
makes training eligible on terms similar to those in E-Rate, namely, 
when the training is included ``as a part of installation services but 
only if it is basic instruction on the use of eligible equipment, 
directly associated with equipment installation, and is part of the 
contract or agreement for the equipment'' and if it ``occur[s] 
coincidently or within a reasonable time after installation.'' The 
Commission finds that this approach balances the need to ensure that 
applicants have access to training that will enable them to effectively 
oversee, utilize, and supervise the use of the Pilot-funded equipment 
and services and prevent the limited Pilot funds from being 
disproportionately used for cybersecurity awareness training for staff 
and end-users, thereby, limiting the number of technical solutions that 
can be implemented and evaluated during the course of the Pilot. 
However, in contrast to the E-Rate program, it does not require that 
the training be provided ``[o]n-site'' to be eligible. The Commission 
finds it appropriate to fund off-site training as much of the equipment 
and services identified in the P-ESL are likely to be supplied or 
otherwise provided to a participant remotely. The Commission notes that 
there are numerous free cybersecurity training resources already 
available through its Federal Government partners. The Commission also 
expects, based on its years of experience directing USAC's 
administration of the E-Rate program, that vendors are likely to 
include basic training at no additional cost as part of their sale of 
the eligible equipment and services.
    35. The Commission also clarifies that for the purposes of the 
Pilot Program eligibility rules that ``advanced'' and ``next-
generation'' firewalls exclude services and/or equipment that are 
eligible in the E-Rate program. Participants are therefore required to 
cost allocate components or features that are eligible in E-Rate (e.g., 
basic firewall components and features) when seeking reimbursement for 
their eligible equipment and services in the Pilot. Its approach 
reflects a definition of the term ``firewall'' endorsed by the National 
Institute of Standards and Technology (NIST) with a carve out for 
services and equipment that are already funded through the E-Rate 
program. The Commission finds it is appropriate to adopt a broad 
definition as this is consistent with its objective to determine the 
technological benefits and monetary costs associated with a wide and 
diverse range of tools for addressing cybersecurity threats and 
attacks. At the same time, the Commission finds it reasonable to 
exclude from its definition basic firewall services and equipment that 
are currently funded through the E-Rate program. The Commission finds 
that this approach ensures that Pilot funds are spent efficiently, 
i.e., only on services and equipment not already funded through other 
USF programs, and that this approach will thus maximize the amount of 
data and information collected on cybersecurity tools during the Pilot. 
The Commission further finds that its approach provides sufficient 
clarity to Pilot participants, and flexibility to request funding for 
advanced firewalls as they may continue to evolve over the course of 
the Pilot, while avoiding difficulties associated with attempting to 
exhaustively enumerate all relevant technological features. To further 
address commenter views, and as reflected in the P-ESL, the Commission 
confirms that most, if not all, of the relevant features that 
commenters endorse as ``advanced'' and ``next-generation'' firewall 
features, including intrusion detection and prevention, application-
level inspection, anti-malware and anti-virus protection, virtual 
private network (VPN), Domain Name System (DNS) security, distributed 
denial-of-service (DDoS) protections, and content filtering 
technologies, are eligible for the Pilot.
    36. The Commission declines to adopt the proposal of some 
commenters, made in this proceeding and in response to the Bureau's 
recent Public Notices related to the scope of the Funding Year 2024 E-
Rate ESL, that it immediately makes advanced and/or next-generation 
firewalls eligible in the E-Rate program, even as it continues to study 
the benefits and costs of other services and equipment through the 
proposed Pilot. Making advanced and/or next-generation firewalls 
immediately eligible in the E-Rate program would run directly counter 
to its proposed purpose of the Pilot Program to, among other things, 
``measur[e] the costs associated with . . . advanced firewall services, 
and the amount of funding needed to adequately meet the demand for 
these services if extended to all E-Rate participants.'' As similarly 
noted by the National Education Organizations (EdGroup), an aim of the 
Pilot is to further ``demonstrate the need for and costs of 
cybersecurity measures such as advanced firewalls, and to gauge how 
districts would respond to available federal funding.'' The Commission 
finds it reasonable, and consistent with its obligations to be a 
careful steward of the limited USF funds, to first study the costs and 
benefits of advanced and/or next-generation firewalls in the Pilot, 
before making any determination on whether and how to potentially make 
these services and equipment eligible through the E-Rate program.
    37. Next, the Commission makes endpoint protection, including anti-
virus, anti-malware, and anti-ransomware, services and equipment 
eligible in the Pilot so that participants can protect their networks 
from potential vulnerabilities introduced by desktops, laptops, mobile 
devices, and other end-user devices that connect to their networks. For 
the purposes of the Pilot, the Commission defines endpoint protection 
as ``equipment, services, or a combination of equipment and services 
that implements safeguards to protect school- and library-owned end-
user devices, including desktops, laptops, and mobile devices, against 
cybersecurity threats and attacks.'' This definition is reflected in 
the P-ESL.
    38. The Commission agrees with the many commenters who argue for 
the inclusion of the specific endpoint technologies that it makes 
eligible. The Commission also agrees with

[[Page 61290]]

commenters that providing funding for endpoint protection should be a 
priority in investigating ways to improve a school's or library's 
network security. The Commission finds that its approach is justified 
as school and library networks continue to evolve to include an ever 
increasing number of endpoint devices, including desktops, laptops, and 
mobile devices that serve as points of vulnerability. Moreover, the 
Commission finds that this approach provides funding to address the 
Center for internet Security's (CIS) observations that a large 
percentage of cyberattacks involve ransomware, malware, web application 
hacking, insider and privilege misuse, and target intrusions. No 
commenter objects to the Pilot funding endpoint protection. The 
Commission further finds that its definition of endpoint protection is 
reasonable as it largely reflects a definition endorsed by NIST, but 
allows for tools to be software- or non-software-based and emphasizes 
that, to be eligible, tools must defend against cyberattacks.
    39. The Commission also makes identity protection and 
authentication tools eligible in the Pilot so that participants can 
prevent malicious actors from accessing and compromising their networks 
under the guise of being legitimate users. Such tools may include DNS/
DNS-layer security, content blocking and filtering/URL filtering, 
multi-factor authentication (MFA)/phishing-resistant MFA, single sign-
on (SSO), and event logging. For the purposes of the Pilot, the 
Commission defines identity protection and authentication as 
``equipment, services, or a combination of equipment and services that 
implements safeguards to protect a user's network identity from theft 
or misuse and/or provide assurance about the network identity of an 
entity interacting with a system.'' This definition is reflected in the 
P-ESL.
    40. The Commission agrees with the large number of commenters who 
argue for the inclusion of the specific identity protection and 
authentication technologies that it makes eligible. The Commission also 
agrees with commenters that deploying these tools will better ensure 
that unauthorized users will be unable to gain network access, unable 
to cause network damage if they do gain access, and/or provide an early 
warning to schools and libraries of unusual or anomalous behavior that 
could signal the presence of near and future cyber threats or attacks 
while they can still be effectively remediated. No commenter objects to 
the Pilot funding identity protection and authentication technologies. 
Moreover, the Commission finds that its definition of identity 
protection and authentication is reasonable as it largely reflects a 
definition of ``identity authentication'' endorsed by NIST, and also 
clarifies that protection involves protection from theft or misuse.
    41. The Commission further makes network monitoring, detection, and 
response, including the use of security operations centers (SOCs) for 
managed cybersecurity services, eligible in the Pilot so that 
participants can promptly and reliably detect and neutralize malicious 
activities that would otherwise compromise their networks. For purposes 
of the Pilot, the Commission defines monitoring, detection, and 
response as ``equipment, services, or a combination of equipment and 
services that monitor and/or detect threats to a network and that take 
responsive action to remediate or otherwise address those threats.'' 
This definition is reflected in the P-ESL.
    42. The Commission agrees with the large number of commenters who 
argue for the inclusion of the specific monitoring, detection, and 
response technologies that it makes eligible. The Commission also 
agrees with commenters who advocate for the inclusion of these services 
and equipment as an important approach to remediating cybersecurity 
threats and attacks, particularly given the limited resources of 
schools/libraries to hire or retain staff or other personnel to conduct 
these activities themselves. No commenter objects to the funding of 
network monitoring, detection, and response solutions.
    43. The Commission imposes a number of limitations on eligibility 
to ensure the efficient and appropriate use of the limited Pilot funds, 
and to avoid duplicative funding, protect against waste, fraud, and 
abuse, and stretch the limited support available through the Pilot. 
First, the Commission makes ineligible for the Pilot funding any 
services, equipment, or associated cost that is already eligible 
through the E-Rate program. The Commission similarly makes ineligible 
for Pilot funding any service, equipment, or associated cost for which 
an applicant has already received full reimbursement, or plans to apply 
for full reimbursement, through any other USF or Federal, state, 
Tribal, or local government program through which reimbursement is 
sought. Participants may, however, use Pilot funding to support Pilot-
eligible services and equipment that participants were previously 
paying for themselves, subject to its competitive bidding rules, as 
this will allow the Commission to evaluate the efficacy of using 
universal service funding to support cybersecurity services and 
equipment, while potentially freeing up funding for participants to use 
for other needs. The Commission finds that limiting eligibility in this 
manner ensures that the Commission maximizes the use of the limited 
Pilot funding by eliminating the provision of redundant or duplicative 
support for the same cybersecurity services and equipment funded 
through other sources. It will also maximize the data and information 
the Commission is able to collect on new services and equipment not 
already funded through E-Rate or other programs, thus efficiently using 
Pilot resources to best inform any potential Commission action based on 
the Pilot data. As is customary in E-Rate, the Commission requires 
Pilot participants to perform a cost allocation to remove from their 
funding requests costs associated with ineligible components or 
functions of an otherwise eligible equipment or service.
    44. In the Cybersecurity NPRM, the Commission proposed to limit 
eligibility to ``equipment that is network-based (i.e., that excludes 
end-user devices, including, for example, tablets, smartphones, and 
laptops) and services that are network-based and/or locally installed 
on end-user devices, where the devices are owned or leased by the 
school or library,'' and to equipment and services that are ``designed 
to identify and/or remediate threats that could otherwise directly 
impair or disrupt a school's or library's network, including to threats 
from users accessing the network remotely.'' The Commission adopts this 
proposal in the P-ESL with a clarification that ``network-based'' 
services include those that are cloud-based and server-based. In doing 
so, the Commission address concerns raised by some commenters by 
confirming that the term ``network-based'' solutions includes both 
cloud and server-based solutions. The Commission finds this 
clarification appropriate since both servers and cloud architectures 
are used in conjunction with a network.
    45. In taking this action, the Commission disagrees with the view 
expressed by Clark County School District (CCSD) that limiting 
eligibility in the way it had proposed would ``not go far enough in 
protecting end-users.'' Contrary to CCSD's views, the Commission's 
consideration for eligibility specifically encompass ``end-user 
devices, where the devices are owned or leased by the school or 
library.'' The Commission also disagrees

[[Page 61291]]

with CTIA's view that eligibility should extend to end-user devices not 
owned or leased by the school or library since ``leaving even one 
device exposed compromises an entire network.'' While the Commission is 
sympathetic to this view on a technical level, it finds it 
administratively and financially impractical to expand eligibility to 
an even larger (and unknowable) number of additional devices that 
students, school staff, and library patrons may seek to connect to 
their networks over the duration of the Pilot Program. For purposes of 
the Pilot, the Commission therefore prioritize protection for (i.e., 
limit eligibility to) devices that are the most essential to a school's 
or library's educational mission and likely to be used to convey 
traffic on the networks of these participants. The Commission's overall 
approach further addresses CTIA's concerns by making a wide range of 
network-based protections available to monitor, detect, and remediate 
potential threats introduced by an end-user device that does not 
qualify for funding under Pilot Program rules. Practically speaking, 
schools and libraries cannot as easily limit access to their networks 
by their leased and owned devices while still fulfilling their core 
educational mission. The Commission thus finds that its approach 
strikes a reasonable balance between affording protections to the 
devices most essential and likely to be used on a school's or library's 
network, reducing threats that may be posed by non-funded devices 
(e.g., through its decision to make eligible network-level protection 
technologies) and effectively deploying the limited amount of Pilot 
funding to provide benefits to a diverse range of schools and 
libraries. Accordingly, for these reasons and those previously provided 
in the Cybersecurity NPRM, the Commission adopts its proposal as 
clarified.
    46. To further protect the Pilot's limited funds, the Commission 
restricts eligibility in a number of ways. The Commission deems 
ineligible (i) staff salaries and labor costs for a participant's 
personnel and (ii) beneficiary and consulting services that are not 
related to the installation and configuration of the eligible equipment 
and services. This mirrors restrictions in the E-Rate program that have 
proven to be effective in conserving the limited USF funds. The 
Commission expects that this action will provide similar benefits in 
the context of the Pilot. The Commission similarly deems ineligible 
insurance costs and any costs associated with responding to specific 
ransom demands. The Commission finds that these restrictions are 
necessary to ensure that the limited Pilot funding is used for the 
evaluation of specific technologies, i.e., eligible cybersecurity 
services and equipment, so that it can gain maximum insight into the 
technical effectiveness of those offerings. The Commission finds it 
reasonable to exclude these enumerated uses from the Pilot, which has 
even more limited funding available as compared to the E-Rate program.
    47. In the Cybersecurity NPRM, the Commission sought comment on 
``whether it should place restrictions on the manner or timing of a 
Pilot participant's purchase of security measures,'' including whether 
``funding [should] be limited to a participant's one-time purchase of 
security measures or [if it] should . . . cover the on-going, recurring 
costs that a Pilot participant may incur, for example, in the form of 
continual service contracts or recurring updates to the procured 
security measures.'' The Commission received only a few comments in 
response with commenters suggesting that any such restrictions should 
be minimally burdensome and avoid unnecessarily interfering with 
participants' attempts to obtain funding support. Accordingly, the 
Commission confirms that Pilot participants may request reimbursement 
for one-time purchases, as well as the recurring costs of eligible 
security measures. As discussed in this proceeding, Pilot participants 
will be permitted to request reimbursement as expenses are incurred, 
whether for one-time or recurring expenses, subject to the limitations 
regarding participants' budgets as well as funding commitments.
    48. Supply Chain Restrictions. In the Cybersecurity NPRM, the 
Commission proposed to apply the Secure and Trusted Communications 
Networks Act of 2019 to Pilot participants by prohibiting these 
participants from using any funding obtained through the program to 
purchase, rent, lease, or otherwise obtain any of the services or 
equipment on the Commission's Covered List or to maintain any of the 
services or equipment on the Covered List that was previously 
purchased, rented, leased, or otherwise obtained. The Commission also 
sought comment on whether ``there are any other restrictions or 
requirements that it should place on recipients of Pilot funds based on 
the Secure [and Trusted Communications] Networks Act and/or other . . . 
concerns related to supply chain security.'' The Commission adopts its 
proposal to bar Pilot participants from using Pilot funding in ways 
prohibited by the Secure and Trusted Communications Networks Act and/or 
the Commission's rules, including Sec. Sec.  54.9 and 54.10 of the 
Commission's rules, that implement the Secure and Trusted 
Communications Networks Act. Accordingly, Pilot participants are 
prohibited by Sec.  54.9 of the Commission's rules from using funding 
made available through the Pilot to ``purchase, obtain, maintain, 
improve, modify, or otherwise support any equipment or services 
produced or provided by any company posing a national security threat 
to the integrity of communications networks or the communications 
supply chain,'' including Huawei Technologies Company and ZTE 
Corporation, and their parents, affiliates, and subsidiaries. Pilot 
participants are also prohibited by Sec.  54.10 of the Commission's 
rules from using Pilot funding to ``[p]urchase, rent, lease, or 
otherwise obtain any . . . communications equipment or service'' or 
``[m]aintain any . . . communications equipment or service previously 
purchased, rented, leased, or otherwise obtained'' that is included on 
the Commission's Covered List. The Commission notes that the entities, 
services, and equipment designated under these rules may evolve over 
time as the Commission's Public Safety and Homeland Security Bureau 
(PSHSB) revises its designations of covered companies and/or issues 
updates to the Covered List. It is the responsibility of Pilot 
participants to ensure they remain in compliance with the Secure and 
Trusted Communications Networks Act, and the Commission's related 
rules, if such revisions are made. The Commission finds that these 
actions will effectively ensure that potential risks and 
vulnerabilities in Pilot participants' communications networks are 
addressed in the manner intended and directed by Congress in the Secure 
and Trusted Communications Networks Act. Cisco generally supports this 
approach, and no commenter opposes it.
    49. Application Process for Pilot Program. The Commission adopts 
application and selection processes for the Pilot Program patterned 
after the Connected Care Pilot Program, adopt several of the 
application, selection, and administrative proposals from the 
Cybersecurity NPRM, and designate USAC to be the Administrator of the 
Pilot Program. In the Cybersecurity NPRM, the Commission proposed to 
structure the Pilot Program in a manner similar to the Connected Care 
Pilot Program. In particular, the Commission proposed that schools, 
libraries, and consortia would apply to be Pilot participants and that 
those entities

[[Page 61292]]

selected to participate in the Pilot would be eligible to apply for 
funding for eligible cybersecurity services and equipment. The 
Commission also proposed that Pilot participants would receive a 
funding commitment and, after receipt of the commitment, would be 
eligible to receive cybersecurity services and equipment and submit 
requests for reimbursement for Pilot funding. The Commission further 
proposed that USAC be appointed the Administrator of the Pilot Program. 
Two commenters specifically expressed support for its proposal to 
structure the Pilot in a manner similar to the Connected Care Pilot 
Program. Only one commenter, the American Library Association (ALA), 
addressed its proposal that USAC be appointed the Administrator of the 
Pilot Program, agreeing that the application process and other aspects 
of the Pilot Program should be administered by USAC.
    50. The Commission also proposed in the Cybersecurity NPRM that 
entities interested in participating in the Pilot be required to submit 
a Pilot Program Application (FCC Form 484) describing their proposed 
use of Pilot funds, including, but not limited to, the following 
information: (i) identification and contact information; (ii) 
cybersecurity posture and risk management practices; (iii) information 
on unauthorized access and cybersecurity incidents; (iv) the specific 
types of cybersecurity services and equipment to be purchased with 
Pilot funds; and (iv) how the entities plan to collect data and track 
their cybersecurity progress if selected as a Pilot participant. While 
there was minimal opposition to the collection of general information, 
the majority of commenters recommended against the collection of 
applicant-specific cybersecurity information. For example, some 
commenters recommended that the Commission refrain from seeking 
information about previous cyber threats, attacks, or incidents as part 
of the FCC Form 484 application. Still others recommended that 
applicants not be required to provide details regarding their 
cybersecurity postures, network environments, or current protection 
measures (or lack thereof). Several commenters recommended that the FCC 
Form 484 application process be minimally burdensome, and a few 
commenters recommended that it align with E-Rate tools and concepts 
that are familiar to E-Rate applicants wherever possible.
    51. Finally, The Commission proposed in the Cybersecurity NPRM that 
applicants and participants submit their FCC Form 484 applications via 
an online platform designed and operated by USAC and inquired as to 
confidentiality or security concerns. The Commission also asked how it 
could best leverage its prior experience in other USF and 
congressionally-appropriated programs and sought comment on lessons 
learned. For administrative efficiency, the Commission further proposed 
that the Bureau select Pilot participants in consultation with the 
Office of Economics and Analytics (OEA), PSHSB, and the Office of the 
Managing Director (OMD), as needed. The Commission also proposed to 
delegate to the Bureau the authority to implement the proposed Pilot 
and direct USAC's administration of the program consistent with the 
Commission's rules and oversight. No commenter addressed the submission 
of the FCC Form 484 applications using an online platform designed and 
operated by USAC, though some expressed concerns about the 
confidentiality and security of cybersecurity data provided as part of 
the application process. Comments related to past experience and 
lessons learned focused on the requests for reimbursement and invoicing 
processes, are discussed in the Order. Many commenters supported the 
Commission's legal authority to conduct the Pilot Program, but did not 
address Bureau review of Pilot Program applications in consultation 
with OEA, PSHSB, and OMD, or the delegation of authority to the Bureau 
to implement the Pilot or direct USAC's administration of the Pilot.
    52. Based on the record, the Commission adopts several of the 
proposals from the Cybersecurity NPRM. Specifically, the Commission 
adopts the application, selection, and administrative proposals, and it 
designates USAC to be the Administrator of the Pilot. In doing so, the 
Commission is mindful of the concerns expressed by commenters about the 
scope of information to be included in the FCC Form 484 application and 
agree that the initial application process would benefit from a 
decrease in the amount of cybersecurity-sensitive school and library 
data requested. To that end, the FCC Form 484 application will be split 
into two parts. The first part will collect a more general level of 
cybersecurity information about the applicant and its proposed Pilot 
project, and will use pre-populated data where possible, as well as a 
number of ``yes/no'' questions and questions with a predetermined set 
of responses (i.e., multiselect questions with predefined answers). The 
second part will collect more detailed cybersecurity data and Pilot 
project information, but only from those who are selected as Pilot 
participants. The Commission will treat all cybersecurity-related 
information requested and provided in the FCC Form 484 as presumptively 
confidential, and will not make it routinely available for public 
inspection.
    53. To be considered for the Pilot, an applicant must complete and 
submit part one of the FCC Form 484 application describing its proposed 
Pilot project and providing information to facilitate the evaluation 
and eventual selection of high-quality projects for inclusion in the 
Pilot. Specifically, the applicant must explain how its proposed 
project meets the considerations outlined below. In addition, the 
applicant must present a clear strategy for addressing the 
cybersecurity needs of its K-12 school(s) and/or library(ies) pursuant 
to its proposed Pilot project, and clearly articulate how the project 
will accomplish the applicant's cybersecurity objectives. The 
Commission anticipates that successful applicants will be able to 
demonstrate that they have a viable strategic plan for providing 
eligible cybersecurity services and equipment directly to the school(s) 
and/or library(ies) included in their proposed Pilot projects. Further, 
the Commission expects applications to be tailored to the unique 
circumstances of each applicant. USAC and/or the Bureau may disqualify 
from consideration for the Pilot those applications that provide a bare 
minimum of information or are generic or template in nature.
    54. Part One Application Information. For the first part of the FCC 
Form 484 application, the Commission directs the Bureau and USAC to 
collect a general level of cybersecurity information from schools, 
libraries, and consortia that apply to participate in the Pilot 
Program. At a minimum, applications to participate in the Pilot Program 
must contain the following required information:
     Names, entity numbers, FCC registration numbers, employer 
identification numbers, addresses, and telephone numbers for all 
schools, libraries, and consortium members that will participate in the 
proposed Pilot project, including the identity of the consortium leader 
for any proposals involving consortia.
     Contact information for the individual(s) who will be 
responsible for the management and operation of the proposed Pilot 
project (name, title or

[[Page 61293]]

position, telephone number, mailing address, and email address).
     Applicant number(s) and type(s) (e.g., school; school 
district; library; library system; consortia; Tribal school or library 
(and Tribal affiliation)), if applicable; and current E-Rate 
participation status and discount percentage, if applicable.
     A broad description of the proposed Pilot project, 
including, but not limited to, a description of the applicant's goals 
and objectives for the proposed Pilot project, a description of how 
Pilot funding will be used for the proposed project, and the 
cybersecurity risks the proposed Pilot project will prevent or address.
     The cybersecurity equipment and services the applicant 
plans to request as part of its proposed project, the ability of the 
project to be self-sustaining once established, and whether the 
applicant has a cybersecurity officer or other senior-level staff 
member designated to be the cybersecurity officer for its Pilot 
project.
     Whether the applicant has previous experience implementing 
cybersecurity protections or measures (answered on a yes/no basis), how 
many years of prior experience the applicant has (answered by choosing 
from a preset menu of time ranges (e.g., 1 to 3 years)), whether the 
applicant has experienced a cybersecurity incident within a year of the 
date of its application (answered on a yes/no basis), and information 
about the applicant's participation or planned participation in 
cybersecurity collaboration and/or information-sharing groups.
     Whether the applicant has implemented, or begun 
implementing, any Education Department or CISA best practices 
recommendations (answered on a yes/no basis), a description of any 
Education Department or CISA free or low-cost cybersecurity resources 
that an applicant currently utilizes or plans to utilize, or an 
explanation of what is preventing an applicant from utilizing these 
available resources.
     An estimate of the total costs for the proposed Pilot 
project, information about how the applicant will cover the non-
discount share of costs for the Pilot-eligible services, and 
information about other cybersecurity funding the applicant receives, 
or expects to receive, from other Federal, state, local, or Tribal 
programs or sources.
     Whether any of the ineligible services and equipment the 
applicant will purchase with its own resources to support the eligible 
cybersecurity equipment and services it plans to purchase with Pilot 
funding will have any ancillary capabilities that will allow it to 
capture data on cybersecurity threats and attacks, any free or low-cost 
cybersecurity resources that the applicant will require service 
providers to include in their bids, and whether the applicant will 
require its selected service provider(s) to capture and measure cost-
effectiveness and cyber awareness/readiness data.
     A description of the applicant's proposed metrics for the 
Pilot project, how they align with the applicant's cybersecurity goals, 
how those metrics will be collected, and whether the applicant is 
prepared to share and report its cybersecurity metrics as part of the 
Pilot Program.
    To facilitate the inclusion of a diverse set of Pilot projects and 
to target Pilot funds to the populations most in need of cybersecurity 
support, particularly those with minimal or no cybersecurity 
protections today, the Commission anticipates selecting projects from, 
and providing funding to, a combination of large and small and urban 
and rural schools, libraries, and consortia, with an emphasis on 
funding proposed Pilot projects that include low-income and Tribal 
applicants. Similarly, and addressing concerns expressed by ActZero, 
the Commission encourages participation in the Pilot by a broad range 
of service providers and note that the rules and requirements it adopts 
here do not discourage new companies from participating. Nor does it 
require service providers to have preexisting service provider 
identification numbers (SPIN) before submitting cybersecurity bids or 
previous E-Rate experience before participating in the Pilot.
    55. When an applicant submits part one of its FCC Form 484 
application, it will be required to certify, among other things, that 
it is authorized to submit the application and is responsible for the 
data being submitted; the data being submitted is true, accurate, and 
complete; if selected for the Pilot, it will comply with all rules and 
orders governing the program, including the competitive bidding rules 
and the requirement to pay the non-discount share of costs for Pilot-
eligible services and equipment from eligible sources; all requested 
Pilot-funded eligible services and equipment will be used for their 
intended purposes; the schools, libraries, and consortia listed in the 
FCC Form 484 application are not already receiving, and do not expect 
to receive, other funding for the same cybersecurity services and 
equipment for which Pilot funding is being sought; it may be audited 
pursuant to its Pilot Program application and will retain any and all 
records related to its application for 10 years; and, if audited, it 
will produce those records at the request of the appropriate officials. 
The applicant must also certify that it understands that failure to 
comply with the Pilot Program rules and order(s) may result in the 
denial of funding, cancellation of funding commitments, and/or the 
recoupment of past funding disbursements. The Commission emphasizes 
that it is committed to protecting the integrity of the Pilot and 
ensuring that USF funds disbursed through the Pilot are used for 
eligible and appropriate purposes. In the event of a violation of Pilot 
Program rules or requirements, the Commission reserves the right to 
take appropriate actions, including, but not limited to, seeking 
recovery of funds or further enforcement action. Applicants who 
participate in the Pilot Program must also comply with all applicable 
Federal and state laws, including sections 502 and 503(b) of the Act, 
title 18 of the United States Code, and the Federal False Claims Act.
    56. While the Commission understands the desire by some commenters 
to keep the initial application as streamlined as possible, in order to 
evaluate the proposed Pilot projects and select well-defined and 
sustainable projects, it is incumbent on us to require certain 
information at the application stage. Thus, the Commission disagrees 
with commenters who say that applicants will need to possess a 
prohibitive amount of knowledge during the application stage and will 
not be able to describe how they propose to use Pilot Program funds 
until after they have been selected as Pilot participants. Although an 
applicant may not know the precise cybersecurity services and equipment 
it would seek to fund with Pilot funding, it is unlikely that an 
applicant would apply to participate in the program without having some 
general cybersecurity goals or plans for using the funding, if selected 
as a participant. Additionally, the Order contains a list of Pilot-
eligible services and equipment that will aid applicants as they begin 
formulating their proposed Pilot projects in advance of the opening of 
the FCC Form 484 application window. Applicants, therefore, should do 
their best to provide the requested information in the application, 
including information on estimated costs related to their proposed 
cybersecurity project.
    57. Selection Process for Pilot Program. To select Pilot 
participants, the Commission directs the Bureau and USAC to use limited 
prerequisites and a broad and objective set of evaluation factors with 
an emphasis on funding low-income and Tribal entities, consistent with 
the E-Rate and

[[Page 61294]]

Connected Care Pilot programs. In the Cybersecurity NPRM, the 
Commission sought comment on how to evaluate and prioritize Pilot 
applications. In particular, the Commission sought comment on what 
prerequisites, if any, the Commission should adopt to select 
participants. For example, it asked whether the adoption of free and 
low-cost cybersecurity tools and resources should be required for an 
applicant to be selected as a Pilot participant; Pilot participants 
should be required to correct known security flaws and conduct routine 
back-ups; Pilot participants should be required to join cybersecurity 
information-sharing groups, such as MS-ISAC or K12 SIX; Pilot 
participants should be required to implement, or demonstrate their 
plans to implement, recommended best practices from organizations like 
the Education Department, CISA, and NIST; and Pilot participants should 
be required to take steps to improve their cybersecurity posture by 
designating an officer or senior staff member to be responsible for 
cybersecurity implementation, updates, and oversight. The Commission 
received mixed reactions to its proposed use of prerequisites to select 
Pilot participants. At least one commenter thought the Commission 
should not utilize prerequisites to determine Pilot participation. 
Commenters were split on the proposal to require the adoption of free 
and low-cost cybersecurity tools and resources for an applicant to be 
selected as a Pilot participant. No commenter spoke directly to whether 
Pilot participants should be required to correct known security flaws 
or conduct routine back-ups as part of the Pilot Program, though a 
small number of commenters discussed whether Pilot funding should be 
targeted to allow schools and libraries to implement some or all of the 
items contained in the CISA list of highest priority steps. Some 
commenters thought requiring Pilot participants to join cybersecurity 
information-sharing groups was too onerous, while others found such a 
requirement beneficial. Some commenters supported the requirement for 
Pilot participants to implement, or demonstrate plans to implement, 
recommended best practices from organizations like the Education 
Department, CISA, and NIST or recommended using the best practices to 
evaluate Pilot Program success, though at least one commenter expressed 
reservations about the Commission doing so. The State E-Rate 
Coordinators Alliance (SECA) proposed that the Commission ``specify 
that completion or submission of an application for the free 
vulnerability assessment offered by CISA . . . [be] sufficient for 
meeting the assessment prerequisite as part of the Form 484 application 
process.'' Clear Creek Amana CSD (Clear Creek), however, cautioned 
against relying on Federal resources outside of a limited incident 
response plan following the NIST frameworks. A few commenters supported 
the proposal that a school, library, or consortium should have 
implemented or begun implementing a cybersecurity framework or program 
to participate in the Pilot. However, others called for selection based 
on a holistic view of an applicant's cybersecurity expertise and risk. 
CIS stated that designating an officer or senior staff member to be 
responsible for cybersecurity implementation, updates, and oversight 
was an important step towards cyber maturity that should be achievable 
by Pilot participants. The Alliance for Digital Innovation (ADI) 
similarly recommended that the Commission make leadership commitment a 
requirement to participate in the Pilot Program, noting that ``[s]enior 
leadership commitment plays a pivotal role in prioritizing 
cybersecurity within organizations.''
    58. The Commission also asked questions about reliance on objective 
versus subjective factors and how such factors should be used to select 
Pilot participants. In terms of objective factors, it asked whether the 
selection of Pilot participants should be based on E-Rate category two 
discount rate levels, location (e.g., urban vs. rural), and/or 
participant size (i.e., small vs. large). The Commission also sought 
comment on whether certain of those factors are more or less important 
than others from a Pilot selection standpoint and requested the 
underlying rationale for such determinations. Commenters generally 
agreed that the Pilot should prioritize the neediest applicants or 
those applicants that qualify for the highest discount percentages in 
the E-Rate program. Commenters overwhelmingly supported the 
Commission's proposal to incorporate a diverse array of applicants in 
the Pilot, including both urban and rural and large and small 
participants. Many commenters advocated for the preferential selection 
of consortia and statewide, regional, and local government 
applications, noting that such applications allow schools and libraries 
to stretch their cybersecurity dollars and extend cybersecurity 
protections to a larger pool of recipients. Similarly, other commenters 
encouraged the Commission to enable school districts to work across 
district and community boundaries to participate in the Pilot Program.
    59. For subjective Pilot selection factors, the Commission inquired 
as to whether the Pilot Program would benefit from including schools 
and libraries with advanced cybersecurity expertise only or whether 
cybersecurity expertise should not factor into Pilot participant 
selection at all. Relatedly, the Commission also sought comment on how 
it could ensure that schools and libraries that lack funding, 
expertise, or are otherwise under-resourced could meaningfully 
participate in the Pilot. The Commission asked commenters to address 
whether Pilot participants should be required to demonstrate that they 
have started to take actions to improve their cybersecurity posture. 
Conversely, the Commission also asked commenters whether a school or 
library should be required to provide a certification or other 
confirmation that, absent participation in the Pilot, it does not have 
the resources to start implementing CISA's K-12 cybersecurity 
recommendations. Commenters generally agreed that the Pilot would most 
benefit from including participants with a mix of cybersecurity 
expertise and varying cybersecurity postures. With respect to how to 
ensure that under-resourced schools and libraries are able to 
meaningfully participate in the Pilot, commenters suggested that the 
FCC and USAC conduct early and detailed Pilot Program outreach, 
including providing technical and other assistance to those applicants 
who are likely to need it most. No commenters addressed the proposal 
that a school or library be required to provide a certification or 
other confirmation that it does not have the resources to start 
implementing the CISA K-12 cybersecurity recommendations absent 
selection for the Pilot. CTIA recommended that applicants be required 
to disclose funding from non-Pilot sources and explain how Pilot 
Program funding would complement, but not duplicate, the applicant's 
existing cybersecurity tools and support.
    60. Along these same lines, the Commission also asked whether 
participation in the Pilot should be limited to those schools and

[[Page 61295]]

libraries that have faced or are facing particular types of 
cybersecurity threats or attacks. In particular, it sought comment on 
the types of cybersecurity threats and attacks encountered by schools 
and libraries and how they should be evaluated, if at all, when 
selecting Pilot participants and similarly, whether an applicant's 
previous history of cybersecurity threats or attacks should be taken 
into consideration as part of the Pilot Program selection process. The 
Commission also asked what role, if any, cybersecurity risk, geographic 
or socioeconomic factors, staffing constraints or financial need, or 
technical challenges should play in Pilot participant selection. 
Commenters urged the Commission to forgo reliance on whether an 
applicant has faced or is facing a particular type of cybersecurity 
threat or attack, an applicant's previous history with cybersecurity 
threats or attacks, or the frequency with which an applicant has 
experienced a cybersecurity incident as drivers of Pilot participant 
selection. Commenters were generally supportive of selecting and 
prioritizing applicants who face geographic, socioeconomic, financial, 
and other challenges, or who serve low-income and under-resourced 
populations.
    61. The Commission agrees with commenters who support using a broad 
and objective set of evaluation factors to select Pilot Program 
participants. After reviewing the record, the Commission concludes that 
the Pilot Program goals will best be served by directing funding to: 
(1) the neediest eligible schools, libraries, and consortia who will 
benefit most from cybersecurity funding (i.e., those at the highest 
discount rate percentages); (2) as many eligible schools, libraries, 
and consortia as possible; (3) those schools, libraries, and consortia 
that include Tribal entities; and (4) a mix of large and small and 
urban and rural, schools, libraries, and consortia. Selecting Pilot 
participants in this manner is consistent with its standard practice in 
E-Rate of prioritizing funding for the most resource-constrained 
schools, libraries, and consortia and is logical to apply here. It also 
achieves its goal of ensuring that the Pilot contains a diverse cross-
section of applicants with differing cybersecurity postures and 
experiences. The Commission directs the Bureau to weigh these 
considerations during the Pilot application review and participant 
selection processes.
    62. The Commission has considered commenters' suggestions regarding 
the potential application factors and have determined that the 
considerations outlined will provide us with meaningful information 
with which it can select Pilot projects and participants. The 
Commission acknowledges that commenters suggested it weighs other 
considerations, but it believes that the considerations listed best 
enable it to select high-quality projects that will meet Pilot goals 
and target Pilot funding to the schools and libraries with the greatest 
need. Further, each of these considerations play an important part in 
helping us better understand the relationship of certain cybersecurity 
services and equipment to the overall cybersecurity health and posture 
of entities in varying contexts and with varying levels of 
cybersecurity expertise.
    63. The Commission directs the Bureau and USAC to review the 
applications and select Pilot projects and participants based on 
applicants' responses, weighing the considerations listed, in 
combination with the applicants' category one discount rates. In 
selecting Pilot projects and participants, limited initial screening 
prerequisites should be employed, but the Bureau and USAC may exclude 
applications that are incomplete or do not meet Pilot Program 
eligibility standards. The Bureau and USAC should also work to ensure 
that, to the extent feasible and based on qualified applications, Pilot 
Program funding is not heavily concentrated in any particular state or 
region, and instead is distributed widely throughout the United States, 
including the District of Columbia and the U.S. territories, with an 
emphasis on funding proposed Pilot projects that include low-income and 
Tribal applicants. The Commission declines to require Pilot applicants 
or participants to join information-sharing organizations like MS-ISAC, 
though it highly encourages all applicants or participants to do so. In 
choosing participants for the Pilot, the Bureau and USAC should also 
consider the cost of the proposed Pilot project compared to the total 
Pilot Program cap. This does not mean that proposed Pilot projects 
should be evaluated based on their total project budgets, but, rather, 
the Bureau and USAC should seek to select an array of Pilot projects 
with varying costs that can all be funded within the Pilot Program's 
cap. In addition, the Bureau and USAC should seek to select an array of 
Pilot participants with differing levels of exposure to cybersecurity 
threats and attacks, and ensuring that the selected Pilot participants 
include schools and libraries that currently have limited cybersecurity 
protections. Although applicants' responses will be considered 
consistent with the considerations listed when evaluating proposed 
Pilot projects, the considerations are not determinative of whether a 
Pilot project will be selected because the Commission recognizes that 
each proposed Pilot project will have its own unique strengths and 
potential challenges. The Commission's goal is to ensure the selection 
of proposed Pilot projects that present a well-defined plan for meeting 
the cybersecurity needs of specific schools, libraries, or consortia, 
with a particular emphasis on resource-challenged and Tribal applicants 
and the three Pilot Program goals discussed in greater detail in the 
Order.
    64. Prioritization. In the event that the number of FCC Form 484 
applications received exceeds the number of projects that can be funded 
through the Pilot, the Commission directs the Bureau and USAC to 
prioritize the selection of Pilot participants by considering their 
funding needs in combination with the funding needs of the same type(s) 
of applicants. Under the rules for the Pilot, eligible schools and 
libraries may receive discounts ranging from 20 percent to 90 percent 
of the pre-discount price of eligible services and equipment, based on 
indicators of need. Schools and libraries in areas with higher 
percentages of students eligible for free or reduced-price lunch 
through the National School Lunch Program (or a federally approved 
alternative mechanism) qualify for higher discounts for eligible 
services than those with lower levels of eligibility for such programs. 
The Commission's priority rules for the Pilot provide that funds shall 
be allocated first to requests for support at the 90 percent discount 
rate. To the extent funds remain after discounts are awarded to 
entities eligible for a 90 percent discount, the rules Pilot rules 
provide that the Administrator shall continue to allocate funds for 
discounts to participants at each descending single discount 
percentage. The Pilot rules also provide that if sufficient funds do 
not exist to grant all requests within a single discount percentage, 
the Administrator shall allocate the remaining support on a pro rata 
basis over that single discount percentage level. Funding for libraries 
will be prioritized based on the percentage of free and reduced lunch 
eligible students in the school district that is used to calculate the 
library's discount rate. Funding for individual schools that are not 
affiliated financially or operationally with a school district, such as 
private or charter schools that apply individually, will be prioritized

[[Page 61296]]

based on each school's individual free and reduced student lunch 
eligible population. For those schools and libraries selected as Pilot 
participants that do not participate in the E-Rate program, their 
discount rate will be calculated based on indicators of need as 
outlined and their funding prioritized consistent with the 
prioritization rules for the Pilot described in this paragraph. This 
prioritization gives applicants serving the highest poverty populations 
first access to funds while allowing us to fund within a discount band 
even where funding is not sufficient to reach all participants in the 
band. This system of prioritization is also consistent with Fortinet's 
recommendation that ``the Commission . . . consider a tiered 
prioritization scheme for Pilot support requests'' and the 
recommendations of commenters that those schools, libraries, and 
consortia with a higher discount rate receive funding ahead of those 
who are entitled to a lower discount rate.
    65. Part Two Application Information. For the second part of the 
FCC Form 484 application, the Commission directs the Bureau and USAC to 
collect more detailed cybersecurity information from applicants who are 
selected to participate in the Pilot Program. The Commission has 
bifurcated the application into two parts, seeking a general level of 
cybersecurity information from applicants and leaving the more detailed 
cybersecurity reporting for the selected Pilot participants. This has 
the benefit of limiting the amount of sensitive cybersecurity 
information that will be provided by applicants at the application 
stage and will reduce the initial application burden. The Commission 
requires Pilot participants to provide such information to help 
establish a baseline that will enable it to effectuate the Performance 
Goals and Data Reporting discussed. Applicants should be aware, that, 
if selected to participate in the Pilot Program, they will be required 
to provide the following additional (or substantially similar) 
cybersecurity information, as applicable, and may be removed from the 
Pilot Program if they refuse or fail to do so:
     Information about correcting known security flaws and 
conducting routine backups, developing and exercising a cyber incident 
response plan, and any cybersecurity changes or advancements the 
participant plans to make outside of the Pilot-funded services and 
equipment.
     A description of the Pilot participant's current 
cybersecurity posture, including how the school or library is currently 
managing and addressing its current cybersecurity risks through 
prevention and mitigation tactics.
     Information about a participant's planned use(s) for other 
Federal, state, or local cybersecurity funding (i.e., funding obtained 
outside of the Pilot).
     Information about a participant's history of cybersecurity 
threats and attacks within a year of the date of its application; the 
date range of the incident; a description of the unauthorized access; a 
description of the impact to the K-12 school or library; a description 
of the vulnerabilities exploited and the techniques used to access the 
system; and identifying information for each actor responsible for the 
incident, if known.
     A description of the specific Education Department or CISA 
cybersecurity best practices recommendations that the participant has 
implemented or begun to implement.
     Information about a participant's current cybersecurity 
training policies and procedures, such as the frequency with which a 
participant trains its school and library staff and, separately, 
information about student cyber training sessions, and participation 
rates.
     Information about any non-monetary or other challenges a 
participant may be facing in developing a more robust cybersecurity 
posture.
    66. Instructions for Filing Applications. Iin order to facilitate 
the application process, the Commission plans to provide an application 
titled ``Schools and Libraries Cybersecurity Pilot Program 
Application'' (FCC Form 484) that applicants must use when submitting 
their project proposals to the Commission. Applicants will be required 
to complete each section of the first part of the application and make 
the required certifications. The applications for the Pilot Program 
must be submitted through the Pilot portal on USAC's website during the 
announced FCC Form 484 application filing window discussed below. The 
Commission directs the Bureau to issue a Public Notice subsequent to 
the release of the Order that specifies the effective date of the Pilot 
Program rules and the filing window dates for submitting Pilot 
applications. The Public Notice must also include details on how to 
submit an application using the Pilot portal on USAC's website. In 
response to concerns about the security and confidentiality of 
cybersecurity information provided as part of the Pilot, as stated 
previously, the Commission is only requiring more general information 
at the application stage of the Pilot. The more detailed, 
cybersecurity-related information will only be provided by Pilot 
participants. Some commenters have expressed concerns that this type of 
information is sensitive and could be used by malicious cybersecurity 
actors for nefarious purposes. The Commission agrees and find that the 
cybersecurity-related information that is being requested and provided 
in the FCC Form 484 constitutes sensitive business information and 
includes trade secrets. Accordingly, the Commission will treat it as 
presumptively confidential under its rules and will withhold it from 
public inspection. The Commission further notes that FCC Form 484 data 
will be protected by security protections built into USAC's Pilot 
portal.
    67. Instructions for Establishing Application Schedule and 
Reviewing Applications. The Commission delegates to the Bureau the 
authority to establish an application schedule consistent with the 
direction provided in the Order; review Pilot FCC Form 484 
applications; and select Pilot projects and participants, doing so in 
an efficient and expedited manner. The Commission further directs the 
Bureau to consult with OEA, PSHSB, OMD, and the Office of General 
Counsel (OGC), as needed, regarding the review of Pilot applications 
and selection of participants. After selecting the Pilot participants, 
the Commission directs the Bureau to announce its selections through a 
Public Notice that will provide further detail about the Pilot Program 
requirements, including providing additional information and 
instruction regarding Pilot requirements for submitting the second part 
of the Form 484 application, competitive bidding, submitting requests 
for funding, and invoicing, as well as the Pilot-specific data and 
metrics reporting requirements discussed herein and the format for 
those reporting and metrics requirements.
    68. Establishing an Application Filing Window. To facilitate an 
efficient and equitable application review process, the Commission 
directs the Bureau to establish an application filing window, after 
which it will review applications from all eligible applicants by 
weighing the considerations discussed. Establishing a single filing 
window was well received by those commenters who addressed the proposal 
and opening a single window will allow the Bureau to review all 
applications before making selections. The Commission expects that 
adopting a single FCC Form 484 application filing window and proceeding 
in this manner will assist with its goal of selecting a diverse cross-

[[Page 61297]]

section of Pilot participants with a particular focus on the under-
resourced applicants who are most in need of cybersecurity funding. To 
further assist under-resourced applicants, the Commission directs the 
Bureau and USAC to offer dedicated training and office hours for 
applicants and participants who are less experienced with cybersecurity 
services and equipment, or with the E-Rate and ECF program forms and 
processes.
    69. The Commission next adopts competitive bidding processes and 
rules for the Pilot Program that mirror the E-Rate program to ensure 
that the limited Pilot funds are used for the most cost-effective 
eligible services and equipment; the integrity of the Pilot Program is 
protected; and potential waste, fraud, and abuse is prevented. The 
Commission directs the Bureau and USAC to model the Pilot Program 
requests for services, invoicing, and reimbursement processes and forms 
on existing E-Rate and ECF program processes and forms to the extent 
possible for the Pilot Program, consistent with record support. In 
particular, the Commission expects the Bureau and USAC to leverage the 
following FCC forms for the Pilot that will mirror existing E-Rate and 
ECF forms: (1) FCC Form 470 (Description of Services Requested and 
Certification Form); (2) FCC Form 471 (Description of Services Ordered 
and Certification Form); (3) FCC Form 472 (Billed Entity Applicant 
Reimbursement (BEAR) Form); and (4) FCC Form 474 (Service Provider 
Invoice (SPI) Form). The Commission requires Pilot participants and 
service providers to make certain certifications on Pilot Program forms 
to protect the integrity of the Pilot. The Commission also requires 
them to submit invoices with their reimbursement requests that support 
the amounts requested and approved in their Pilot FCC Form 471 
applications. By modeling the Pilot processes and forms on existing E-
Rate and ECF processes and forms, the Commission expects to save Pilot 
participants time needed to familiarize themselves with the new forms 
and reduce administrative cost and burden.
    70. As in the E-Rate program, the Commission adopts competitive 
bidding processes and rules for the Pilot Program to ensure that the 
limited Pilot funds are used for the most cost-effective eligible 
services and equipment, and to protect the integrity of the Pilot. 
Competitive bidding is a cornerstone of several USF programs, including 
the E-Rate and Connected Care Pilot programs, and is critical to 
ensuring that applicants obtain the most cost-effective offering 
available. Currently, under the E-Rate program rules, to obtain support 
an applicant must first conduct a competitive bidding process and 
comply with the Commission's competitive bidding rules. Applicants 
begin the competitive bidding process by filing a completed E-Rate FCC 
Form 470 with USAC. USAC, in turn, posts the form on its website for 
potential competing service providers to review and submit bids. An 
applicant must wait at least 28 days from the date on which its E-Rate 
FCC Form 470 is posted on USAC's website before entering into a signed 
contract or other legally binding agreement with a service provider and 
submitting an E-Rate FCC Form 471 to seek funding for selected services 
and equipment. The E-Rate FCC Form 470 must specify and provide a 
description of the eligible services and equipment requested with 
sufficient detail to enable potential service providers to submit 
responsive bids.
    71. In the Cybersecurity NPRM, the Commission proposed a 
competitive bidding process and rules for Pilot participants that 
mirror the existing E-Rate competitive bidding process and rules. 
Because of the structural similarities between the E-Rate program and 
the Pilot, the proven effectiveness of the E-Rate processes and rules, 
and the reduced compliance burden for Pilot participants who are 
already familiar with existing E-Rate requirements, it concludes that 
its proposal is reasonable and adopts it here. To begin, the Commission 
adopts a Pilot FCC Form 470, modeled after the E-Rate form, that Pilot 
participants will use to describe their desired Pilot-eligible services 
and equipment and initiate the competitive bidding process. Likewise, 
the Commission adopts competitive bidding requirements modeled on Sec.  
54.503 of the Commission's rules, with which Pilot participants must 
comply to ensure they conduct an open and fair competitive bidding 
process. This includes, among other things, the requirement that a 
Pilot participant must wait at least 28 days from the date the Pilot 
FCC Form 470 is posted on USAC's website before entering into a legally 
binding agreement or contract with a service provider and must submit a 
Pilot FCC Form 471 to seek funding for Pilot-eligible services and 
equipment. It also includes the requirement that before entering into 
an agreement or contract with a service provider(s), a Pilot 
participant carefully consider all bids submitted and select the most 
cost-effective service offering with price as the primary (i.e., most 
heavily-weighted) factor in the vendor selection process. Finally, it 
includes a restriction on the receipt of gifts and a requirement that 
the competitive bidding process be conducted in a fair and open manner 
(i.e., all potential service providers have access to the same 
information and are treated in the same manner throughout the entire 
competitive bidding process).
    72. Because the competitive bidding process is essential to 
ensuring that Pilot participants obtain the most cost-effective 
eligible services and equipment, protecting program integrity, and 
preventing potential waste, fraud, and abuse in the Pilot, the 
Commission declines CCSD's recommendation that applicants with existing 
contracts for cybersecurity solutions be allowed to request Pilot 
Program funding to cover the cost of those contracts and be exempt from 
any competitive bidding requirements. Likewise, the Commission declines 
to provide an exemption to competitive bidding for costs that Pilot 
participants may be currently cost-allocating in E-Rate funding 
requests for advanced firewall services. Similarly, because an open and 
fair competitive bidding process hinges on all bidders being on equal 
footing, the Commission also declines E-Rate Central's proposal that 
applicants be allowed to conduct their competitive bidding processes 
before submitting their FCC Form 484 applications and be permitted to 
work alongside their selected service providers to develop their 
proposed Pilot projects. Finally, to enable participants to select the 
services and equipment that best meets their needs, it clarifies, as 
SECA requests, that participants are permitted to require that the 
services or equipment to be purchased are interoperable with and/or 
compatible with existing services and equipment that have already been 
purchased.
    73. The Commission does, however, establish a limited exemption to 
competitive bidding for Pilot participants who may be eligible to 
purchase services and equipment from master services agreements (MSAs) 
or their equivalent. Specifically, Pilot participants will not be 
required to seek competitive bids when seeking support for services and 
equipment purchased from MSAs negotiated by Federal, state, Tribal, or 
local governmental entities on behalf of such Pilot participants, if 
such MSAs were awarded pursuant to the E-Rate Form 470 process, as well 
as applicable Federal, state, Tribal, or local competitive bidding 
requirements. The Commission agrees with SECA that these MSAs or state 
master contracts are ``efficient contract vehicles'' and reflect

[[Page 61298]]

``cost-effective solutions for different components and different 
manufacturers.'' Pilot participants will be required to use the mini-
bid process if required by the relevant MSA or state master contract. 
The Commission finds that this exemption, which was similarly included 
in the Connected Care Pilot Program, will enable Pilot participants to 
benefit from competitively bid state master contracts and MSAs, and in 
so doing, will streamline the competitive bidding process and minimize 
the burden on Pilot participants.
    74. As proposed in the Cybersecurity NPRM, the Commission adopts 
the Pilot FCC Form 471, modeled after the E-Rate FCC Form 471, for 
Pilot participants and their service provider(s). In the E-Rate 
program, applicants file an FCC Form 471 to request discounts on 
eligible services and equipment for the upcoming funding year. The E-
Rate FCC Form 471 requires detailed descriptions of the services and 
equipment requested, including the costs of and service dates for the 
services and equipment; the selected service provider(s); and 
certifications regarding compliance with program rules. Applicants must 
wait until the Allowable Contract Date (ACD), which is 28 days after 
the E-Rate FCC Form 470 is certified and submitted to USAC, to certify 
and submit their E-Rate FCC Forms 471. Once an applicant certifies and 
submits its E-Rate FCC Form 471, USAC issues a Receipt Acknowledgment 
Letter (RAL) to both the applicant and its selected service 
provider(s). Following the issuance of the RAL, and after USAC conducts 
its PIA review process, USAC issues a Funding Commitment Decision 
Letter (FCDL) to both the applicant and the selected service 
provider(s), at which point they may begin to invoice after the receipt 
or delivery of the requested eligible services and/or equipment.
    75. Similar to the E-Rate program, Pilot participants must file a 
Pilot FCC Form 471 to request discounts on eligible services and 
equipment. As with the E-Rate form, the Pilot FCC Form 471 will include 
information on the recipients of services and equipment and the 
selected service provider(s); detailed descriptions of the services and 
equipment requested, including their costs and service dates; and 
certifications regarding compliance with Pilot rules. Pilot 
participants will be required to wait until the ACD to certify and 
submit the Pilot FCC Form 471. Once a Pilot participant certifies and 
submits the Pilot FCC Form 471, USAC will provide the Pilot participant 
an opportunity to correct any errors on the form, through a RAL or 
similar process, after which USAC will issue an FCDL. Pilot 
participants will submit Pilot FCC Form(s) 471 to cover the full Pilot 
project, and will be allowed to submit service and equipment 
substitution change requests, if needed, during the three-year Pilot.
    76. The Commission directs the Bureau and USAC to announce and open 
a Pilot FCC Form 471 application filing window to speed the 
availability of funds to the selected Pilot participants. During this 
application filing window, selected Pilot participants may submit their 
Pilot FCC Form(s) 471 to request eligible equipment and services that 
are needed to implement their Pilot project through the online system 
implemented by USAC. As the Commission is adopting forms, processes, 
and procedures that are used in the E-Rate and ECF programs, it expects 
that this application filing window process will be familiar to most of 
the selected Pilot participants. Pilot participants will have a three-
year period from the date of their FCDL to receive and implement the 
services and equipment funded through the Pilot. Pilot participants 
will be required to report on the progress of their Pilot projects and 
how the Pilot funding is being used to improve their cybersecurity 
postures throughout the three-year term, consistent with the annual 
reporting requirements discussed in the Order. The Commission further 
expects that using a Pilot FCC Form 471 application filing window will 
allow USAC to quickly size demand, review applications, and issue 
funding decisions, thereby allowing the flow of funding more quickly to 
Pilot participants. In the event that demand does not exceed available 
funds, the Commission delegates authority to the Bureau to direct USAC 
to open additional Pilot FCC Form 471 application filing windows and to 
commit additional funding up to each Pilot participant's allotted 
budget. No Pilot participant will be allowed to request or receive more 
funding than what is calculated based on the per-Pilot participant 
budget rule.
    77. Invoicing. Consistent with the E-Rate program, and pursuant to 
the Second Report and Order, 68 FR 36931, June 20, 2003, the Commission 
permits both Pilot participants and service providers to submit 
requests for reimbursement using the Pilot FCC Forms 472 and 474, 
respectively. The Commission agrees with those commenters who explain 
that allowing both participant and service provider invoicing options 
is the most efficient and direct way to provide funding to eligible 
schools and libraries. The Commission concludes that, on balance, 
allowing both invoicing options for the submission of Pilot 
reimbursement requests is an efficient and effective way to ensure that 
participants are actually able to purchase Pilot-eligible services and 
equipment, and aligns most closely with the E-Rate program, which 
commenters support. Consistent with E-Rate program rules, Pilot 
participants must be permitted to select the method of invoicing. For 
administrative simplicity, Pilot participants must also specify on 
their Pilot FCC Form(s) 471 whether the participant or the service 
provider will be conducting the invoicing for each funding request. As 
part of the reimbursement process, Pilot participants and service 
providers must provide the required certifications, along with any 
necessary documentation to support their requests. Requests for 
reimbursement must be submitted to USAC within 90 days after the last 
date to receive service, and Pilot participants or service providers 
may request a one-time extension of the invoicing filing deadline, if 
the request is timely filed.
    78. Invoicing Documentation. As in the ECF program, to protect the 
integrity of the Pilot and protect against potential waste, fraud, and 
abuse, the Commission requires Pilot participants and service providers 
to submit, along with their reimbursement requests, invoices detailing 
the items purchased. Invoices must support the amounts requested and 
approved in the Pilot FCC Form 471 application. The Commission 
disagrees with Lumen Technologies, Inc. and NCTA that the submission of 
invoices with reimbursement requests would limit flexibility for Pilot 
participants and serves no purposes in this context. Rather, the 
submission of invoices with the Pilot FCC Forms 472/474 will help 
expedite the review of those requests and the corresponding 
disbursement of funds. Moreover, although the Pilot Program is not an 
emergency program, it is being conducted on an expedited basis, thus 
necessitating swift and efficient final invoicing decisions. While the 
Commission will not require Pilot participants and service providers to 
submit other supporting documentation at the time they submit their 
Pilot request(s) for reimbursement, pursuant to its certifications and 
document retention requirements, all participants must certify receipt/
delivery of eligible services and equipment and that only eligible 
services and equipment were invoiced, as well as retain and provide 
upon request by USAC, the Commission

[[Page 61299]]

(including Commission staff) and its Office of Inspector General (OIG), 
or any other authorized Federal, state, or local agency with 
jurisdiction over the entity, all records related to their Pilot FCC 
Forms 470, 471, and 472/474 (including, for example, competitive 
bidding documentation and contracts) for at least 10 years from the 
last date of service or delivery of equipment.
    79. Consistent with the terms of the Memorandum of Understanding 
(MOU) between the Commission and USAC, and pursuant to the rules 
adopted, the Commission designates USAC as the Administrator of the 
Pilot Program. The Commission will use USAC's services to review, 
process, and approve the Pilot FCC Forms 470, 471, 472, 474, 484, and 
488, as well as recommend funding commitments, issue FCDLs, review 
requests for reimbursement and invoices, and payment of funds, as well 
as other administration-related duties. The one commenter that directly 
addressed the issue supported using USAC and its processes for the 
efficient and effective administration of the Pilot Program, and the 
Commission agrees that USAC's experience administering the E-Rate and 
Connected Care Pilot programs, along with the other Federal universal 
service programs makes it uniquely situated to be the Administrator of 
the Pilot Program. In designating USAC as the Administrator of the 
Pilot Program the Commission notes that USAC may not make policy, 
interpret unclear statutes or rules relied upon to implement and 
administer the Pilot Program, or interpret the intent of Congress. In 
its administration of the Pilot Program, the Commission also directs 
USAC to comply with, on an ongoing basis, all applicable laws and 
Federal Government guidance on privacy and information security 
standards and requirements such as the Privacy Act, relevant provisions 
of the Federal Information Security Modernization Act of 2014, NIST 
publications, and Office of Management and Budget (OMB) guidance.
    80. The Commission notifies Pilot participants, including their 
selected service providers that, similar to the E-Rate program and 
other USF programs, they shall be subject to audits and other 
investigations to evaluate their compliance with the statutory and 
regulatory requirements for the Pilot. USF Program audits have been 
successful in helping program applicants and participants improve 
compliance with the Commission's rules and in protecting the funds from 
waste, fraud, and abuse. The Commission directs USAC to perform such 
audits pursuant to the Commission's and USAC's respective roles and 
responsibilities as set forth in the MOU and Sec.  54.2011 of the 
Commission's rules. The Commission is also mindful of the privacy 
concerns raised regarding providing personally identifiable information 
(PII) to Commission or USAC staff about individual students, school 
staff, or library patrons that may be collected as part of the 
cybersecurity measures implemented through the Pilot. While it does not 
anticipate that Pilot participants will need to share the PII of 
students, school staff, or library patrons in connection with their 
Pilot FCC forms, audits (or related compliance tools), or reporting, it 
notes that the Commission, USAC, and any contractors or vendors will be 
required to abide by all applicable Federal and state privacy laws. The 
Commission also directs the Commission, USAC, and contractor/vendor 
staff to take into account the importance of protecting the privacy of 
students, school staff, and library patrons, to design requests for 
information from schools and libraries that minimize the need to 
produce information that might reveal PII, and to work with auditors to 
accept anonymized or deidentified information in response to requests 
for information wherever possible. If anonymized or deidentified 
information regarding the students, school staff, and library patrons 
is not sufficient for auditors' or investigative purposes, the auditors 
or investigators may request that the school or library obtain the 
consent of the parents or guardians, for students, and the consent of 
the school staff member or library patron to have access to PII or 
explore other legal options for obtaining PII. The Commission 
additionally delegates to the Bureau and OMD, in consultation with OGC 
(and specifically the Senior Agency Official for Privacy) the authority 
to establish requirements for the Bureau's, USAC's, or any 
contractor's/vendor's collection, use, processing, maintenance, 
storage, protection, disclosure, and disposal of PII in connection with 
any Pilot FCC forms, audit (or other compliance tool), or reporting.
    81. The Commission takes seriously its obligation to be a careful 
steward of the USF and to protect the integrity of the Pilot Program. 
The commission is committed to ensuring the integrity of the Pilot and 
will pursue instances of waste, fraud, or abuse under its own 
procedures and in cooperation with the Commission's OIG and other law 
enforcement agencies. The specific procedures the Commission adopts 
regarding document retention requirements, the prohibition on gifts, 
certifications, audits, suspension and debarment, and the treatment of 
eligible services and equipment are modeled after its E-Rate processes 
and are tools at its disposal to protect the Pilot and ensure the 
limited program funding is used for its intended purposes to support 
Pilot Program goals and enable the purchase of Pilot-eligible services 
and equipment.
    82. In the Cybersecurity NPRM, the Commission sought comment on 
whether ``document retention requirements'' for the Pilot, including 
those based on modifying rules from the Commission's E-Rate program, 
would help ``protect the program integrity of the Pilot.'' The 
Commission adopts this proposal. Specifically the Commission includes a 
new Sec.  54.2010(a) of the Commission's rules, modeled after a 
corresponding E-Rate rule, that requires Pilot participants to ``retain 
all documents related to their participation in the [Pilot] program 
sufficient to demonstrate compliance with all program rules for at 
least 10 years from the last date of service or delivery of equipment'' 
and ``maintain asset and inventory records of services and equipment 
purchased sufficient to verify the actual location of such services and 
equipment for a period of 10 years after purchase.'' The Commission 
also includes a new Sec.  54.2010(b) of the Commission's rules, also 
modeled after a corresponding E-Rate rule, that requires Pilot 
participants and service providers to ``produce such records upon 
request of any representative (including any auditor) appointed by a 
state education department, the Administrator, the Commission, its OIG, 
or any local, state, or federal agency with jurisdiction over the 
entity.'' This rule requires that Pilot participants must retain 
documents regarding participation in the Pilot, including asset and 
inventory records, accumulated during the Pilot, for a period of 10 
years.
    83. While commenters generally did not opine on these issues, the 
Commission finds that this new rule, Sec.  54.2010(a), will ensure that 
participants have sufficient records on hand related to all aspects of 
their participation in the Pilot to permit entities with jurisdiction 
over the participant, including USAC and the Commission, to make 
efficient and reliable determinations of compliance, e.g., as part of 
any post-audit review or investigation that bears on potential waste, 
fraud and abuse in the Pilot Program. The Commission finds that this 
new rule, Sec.  54.2010(b), will effectively establish (or confirm) 
that a

[[Page 61300]]

Pilot participant must provide documents to external parties with valid 
jurisdiction when a request is made for the retained documents. The 
Commission finds its actions are warranted as the Commission, as a 
careful steward of the USF's limited funds, has a strong interest in 
ensuring that sufficient documentation is available and can be accessed 
to permit external parties with jurisdiction to make reliable and 
efficient determinations of potential waste, fraud and abuse in the 
Pilot. The Commission also finds that the new rules will meaningfully 
inform potential Commission short-term action, e.g., through 
enforcement or other remediation steps if the integrity of the Pilot 
Program is threatened, and long-term action, that could potentially 
result in future revision of Commission or USAC processes to better 
protect the USF and the USF programs. Moreover, the Commission finds 
these rules, including the associated ``10 year'' retention and 
production requirements, are likely to be effective in protecting the 
integrity of the Pilot because they are modeled after existing Sec.  
54.516 of the Commission's rules with only clarifying amendments 
reflective of the structure of the Pilot. The Commission has found the 
E-Rate rules to be effective over the course of its many years of 
experience overseeing USAC's administration of the E-Rate program. As 
the Commission has previously noted, these rules, including the 10-year 
document retention and production requirement, appropriately balance 
the need to have pertinent documentation available for review with 
corresponding administrative burdens and storage costs borne by E-Rate 
applicants and service providers. The Commission expects similar 
benefits to accrue in relation to the Pilot.
    84. In balancing the longstanding goal of fair and open procurement 
with the disbursement of USF support for eligible equipment and 
services, the Commission adopts gift restrictions for the Pilot. 
Consistent with the E-Rate program, the Commission prohibits eligible 
schools and libraries receiving Pilot Program support, including their 
employees, officers, representatives, agents, independent contractors, 
consultants, and individuals who are on the governing boards, from 
soliciting or accepting any gift or other thing of value from a service 
provider participating in or seeking to participate in the Pilot. 
Similar to the E-Rate program, participating service providers, 
including their employees, officers, representatives, agents, 
independent contractors, consultants, and individuals who are on 
governing boards, are likewise prohibited from offering or providing 
any gift or other thing of value to eligible entities, including their 
employees, officers, representatives, agents, independent contractors, 
consultants, and individuals who are on the governing boards.
    85. As an additional measure to protect the integrity of the Pilot, 
the Commission also requires participants to provide several 
certifications as part of the FCC Form 484 application, competitive 
bidding, requests for services, and invoicing processes. Similarly, the 
Commission requires their selected service providers to provide 
certifications related to Pilot invoicing processes. The Commission 
finds, and no commenter disagrees, that the use of certifications are a 
key compliance mechanism to protect the limited Pilot funds. All 
certifications must be made subject to the provisions against false 
statements contained in the Act and Title 18 of the United States Code.
    86. Duplicate Funding Certification. The Commission confirms that 
it will not provide support for eligible services and equipment, or the 
portion of eligible services and equipment, that have already been 
reimbursed with other Federal, state, Tribal, or local funding, or are 
eligible for discounts from E-Rate or another universal service 
program. No commenters opposed adopting this limitation to stretch the 
Pilot's limited funds. To implement this prohibition on requesting or 
receiving duplicative funding, the Commission will require Pilot 
participants and service providers to certify on the FCC Forms 472 or 
474 that they are not seeking support or reimbursement for Pilot-
eligible services and equipment that have been purchased and reimbursed 
with other Federal, state, Tribal, or local funding, or are eligible 
for discounts from E-Rate or another universal service program. The 
Commission takes this action to ensure that the limited Pilot support 
will be used for its intended purposes and clarify that if the Pilot-
eligible services and equipment are fully reimbursed through other 
sources, participants and service providers should not be seeking 
funding for them through the Pilot Program.
    87. Additional Certification Requirements. The Commission also 
requires Pilot participants, when submitting their Pilot FCC Form 470 
competitive bidding forms, and Pilot participants and service providers 
when submitting their FCC Forms 472 and 474 requests for reimbursement 
(i.e., invoicing forms), respectively, to provide several additional 
certifications. For example, Pilot participants and service providers 
must certify that they are seeking funding for only Pilot-eligible 
services and equipment. Pilot participants and service providers should 
be aware that the certification descriptions referenced in this section 
are not exhaustive and it is incumbent on them to familiarize 
themselves with the certifications required by each of the Pilot forms 
and rules that are applicable to them.
    88. Support provided for cybersecurity services and equipment 
funded through the Pilot will be subject to audits and reviews 
consistent with the procedures currently used for the USF programs 
(e.g., Beneficiary and Contributor Audit Program audits and Payment 
Integrity Assurance (PIA) reviews), and could be subject to recovery 
measures should the Commission and/or USAC find a violation of its 
rules and deem it appropriate. Specifically, applicants, participants, 
and service providers may be subject to audits and other investigations 
by USAC and/or Bureaus and Offices of the Commission to evaluate 
compliance with the rules it adopted. The Commission considers audits 
and other review mechanisms in the Pilot program to be important tools 
in ensuring compliance with its rules and identifying instances of 
waste, fraud, and abuse. Considering the action it took to create the 
Pilot Program using universal service funding, the Commission expects 
that these tools will continue to be paramount to its ability to ensure 
that these finite funds are used appropriately and consistent with its 
rules.
    89. Consistent with its proposals in the Cybersecurity NPRM, the 
Commission will apply its existing USF suspension and debarment rules 
to the Pilot. In addition, to the extent that the Commission adopts 
updated and final suspension and debarment rules in a separate and 
pending proceeding, it will apply the updated rules to the Pilot 
Program.''
    90. While commenters did not opine on these issues, the Commission 
finds it beneficial to apply its USF suspension and debarment rules, 
which are applicable to existing USF programs and codified at Sec.  
54.8 of its rules, to the Pilot as well. The Commission's decision to 
make these rules binding on persons, including individuals and 
entities, involved in the Pilot provides these groups with notice as to 
the types of behavior that could result in their suspension and 
debarment (and the suspension and debarment of others),

[[Page 61301]]

the processes by which suspension and debarment would be determined, 
and some of the consequences of such action. The Commission also finds 
that this action will permit Pilot participants to make better-informed 
decisions as to the consultants and other persons that they choose to 
employ or otherwise retain (e.g., based on factors that are identified 
in its suspension and debarment rules) for work on the Pilot Program, 
which will protect participants, and the USF, from waste, fraud, and 
abuse. As the Pilot incorporates administrative processes, forms, and 
rules from E-Rate and other USF programs, the Commission finds it 
reasonable to apply its existing USF suspension and debarment rules to 
the Pilot as well. The Commission finds that doing so ensures that 
participants are able to engage a variety of persons with expertise and 
skills relevant to the USF generally, and Pilot specifically, while 
also preventing potential bad actors from undermining the Pilot's 
goals. Ultimately, the Commission finds that its actions will support 
its mission to maintain the Pilot's integrity and protect it from 
waste, fraud, and abuse.
    91. Similarly, the Commission finds it appropriate to apply any new 
Commission USF suspension and debarment rules that may be finalized 
during the course of the Pilot to the Pilot as well. The Pilot 
incorporates administrative processes, forms, and rules from E-Rate and 
other USF programs. The Commission therefore finds it reasonable to 
apply any new suspension and debarment rules developed for those 
programs to the Pilot as well.
    92. The Commission adopts three performance goals to enable it to 
evaluate the Pilot Program. The Commission expects that, to the extent 
that the Pilot Program meets these goals, the results of the Pilot will 
help us assess the costs and benefits of utilizing universal service 
funds to support schools' and libraries' cybersecurity needs, as well 
as how other Federal resources could best be leveraged to ensure that 
these needs are addressed in the most efficient and effective manner. 
The Commission also adopts a periodic reporting requirement designed to 
allow the Commission evaluate the goals and success of the Pilot 
Program while, to the extent possible, taking steps to minimize the 
burden on Pilot participants.
    93. In the Cybersecurity NPRM, the Commission proposed three 
performance goals for the Pilot Program. Specifically, the Commission 
proposed the goals of: (i) improving the security and protection of E-
Rate-funded broadband networks and the data on those networks; (ii) 
measuring the costs associated with cybersecurity services and 
equipment, and the amount of funding needed to adequately meet the 
demand for these services if extended to the E-Rate program; and (iii) 
evaluating how to leverage other Federal K-12 cybersecurity tools and 
resources to help schools and libraries effectively address their 
cybersecurity needs. Additionally, the Commission proposed and sought 
comment on how it can best measure progress towards these goals, to 
ensure that the limited Pilot funds are used most impactfully and 
effectively. The Commission also sought comment on how to evaluate the 
Pilot, including whether participants should submit periodic reports 
and other assessments and evaluations.
    94. Based on the record, the Commission adopts its three proposed 
performance goals for the Pilot. The Commission notes that commenters 
broadly supported the three proposed goals, considering them 
appropriate to allow the Commission to assess the effectiveness and 
cost of the cybersecurity services and equipment used in the Pilot.
    95. First Performance Goal: Improving the Security and Protection 
of E-Rate-Funded Broadband Networks and Data. First, the Commission 
adopts a goal for the Pilot Program of improving the security and 
protection of E-Rate-funded broadband networks and data. Funding made 
available by the Pilot will help participants acquire cybersecurity 
services and equipment to improve the security of their broadband 
networks and data. Commenters generally supported this goal. Cisco, for 
example, deemed the goal consistent with the Commission's ``statutory 
responsibilities to adapt the universal service rules to account for 
advances in telecommunications and information technology.'' Making 
funding available for cybersecurity services and equipment will help 
Pilot participants protect and secure their E-Rate-funded broadband 
networks and data to mitigate increasing cybersecurity threats. In 
adopting this goal, the Commission emphasizes that it is not only 
seeking to improve the security and protection of E-Rate-funded Pilot 
participants, but also to gather information to aid the exploration of 
improving the security and protection of E-Rate-funded networks going 
forward. To that end, and as discussed herein, the Commission is not 
limiting Pilot participation to existing E-Rate participants but will 
allow all eligible schools, libraries, and consortia to apply for the 
Pilot. By taking a holistic approach that incorporates all types of 
eligible schools and libraries, the Commission seeks to gather data 
that will help it evaluate how best to safeguard E-Rate-funded networks 
now and in the future.
    96. Second Performance Goal: Measuring the costs associated with 
cybersecurity services and equipment, and the amount of funding needed 
to adequately meet the demand for these services if extended to all E-
Rate participants. Next, the Commission adopts a goal of measuring the 
costs and effectiveness of cybersecurity services and equipment. By 
making a wide range of cybersecurity services and equipment eligible 
for USF support, the Pilot will enable the Commission to gather data on 
the associated cost and effectiveness of various cybersecurity 
solutions. As ALA, in particular, has observed, there are concerns 
about the cost to the USF of adding any new E-Rate eligible services 
and equipment, including cybersecurity services and equipment. By 
measuring these costs as part of the Pilot, the Commission will be 
well-positioned to evaluate the potential challenges to funding these 
types of services and equipment over the long term. In addition, to 
measure effectiveness, CIS recommended that the Commission require 
participants ``to assess themselves before the Pilot and annually 
against a recognized cybersecurity framework and provide their scores 
as a measurement of success against their individual baseline.'' With 
such recommendations in mind, the Commission adopts a goal of measuring 
the costs and effectiveness of cybersecurity services and equipment, 
gathering data for the Commission to determine whether it is 
economically feasible to support advanced firewall and other 
cybersecurity services and equipment with universal service funding. In 
adopting this goal, the Commission disagrees with commenters who 
suggest that, in collecting data to evaluate the Pilot, its goals 
should be focused on determining ``how to best modernize the E-rate 
Category 2 to include cybersecurity permanently'' or adopting 
concurrent changes to its category two rules to permit funding for 
advanced firewalls and MFA. Although the Commission hopes to learn more 
about whether and how to best fund cybersecurity services and equipment 
at the conclusion of the Pilot, it does not prejudge the appropriate 
mechanism or services and equipment to fund and, instead, look 
holistically at how universal service funds could be used to meet the 
K-12 schools' and libraries'

[[Page 61302]]

demand for cybersecurity services and equipment.
    97. Third Performance Goal: Evaluating how to leverage other 
Federal K-12 cybersecurity tools and resources to help schools and 
libraries effectively address their cybersecurity needs. Third, the 
Commission adopts a goal of evaluating how to best leverage other 
available and low-cost and free Federal resources to better equip K-12 
schools and libraries to proactively address their cybersecurity risks, 
though it does not go so far as to require the use of specific Federal 
Government tools and resources as initially discussed in the 
Cybersecurity NPRM. Commenters generally agreed with this goal. The 
Friday Institute for Education Innovation (Friday Institute), for 
example, stated that its Federal partners ``provide a wealth of best 
practices and knowledge,'' and ``[r]elying on their expertise is a 
prudent approach to shaping the E-rate program's cybersecurity 
component.'' CTIA emphasized the importance of collaborating with other 
agencies to pursue and implement shared cybersecurity objectives. 
Commenters emphasize that collaboration with other Federal partners is 
``vital,'' with the Cybersecurity Coalition and Information Technology 
Industry Council (Cybersecurity Coalition/ITI) noting that they are 
``pleased'' that the Pilot is focused on ``how to balance [the] 
`complementary work of federal agency partners.' '' The Commission 
agrees with commenters on the importance of leveraging the expertise of 
its Federal, state, and local partners, and adopting this goal for the 
Pilot Program signals its intent to continue to work collaboratively on 
shared objectives to streamline its efforts to address schools' and 
libraries' cybersecurity challenges. To this end, the Commission agrees 
with commenters that, where possible, it should align its Pilot with 
the cybersecurity goals of its Federal partners.
    98. Data reporting requirements for participants. To measure the 
Pilot's success in meeting the aforementioned goals, the Commission 
adopts initial, annual, and final reporting requirements for 
participants. In the Cybersecurity NPRM, the Commission proposed that 
Pilot participants submit certain information to apply for the Pilot, a 
progress report for each year of the Pilot, and a final report at the 
conclusion of the Pilot. The Commission also proposed that these 
reports contain information on how Pilot funding was used, any changes 
or advancements that were made to the school's or library's 
cybersecurity efforts outside of the Pilot-funded services and 
equipment, the number of cyber incidents that occurred each year of the 
Pilot Program, and the impact of each cyber incident on the school's or 
library's broadband network and data. The Commission sought comment on 
these proposals, as well as the best ways for it to evaluate the Pilot 
and measure progress towards the proposed performance goals.
    99. Commenters generally agreed with its proposal to establish data 
reporting requirements. Crown Castle Fiber LLC (Crown Castle) noted the 
value of data reporting requirements, stating that they provide 
``valuable insight into the types of new services and equipment that 
applicants purchase to address their network and data security concerns 
and the impact of implementing various cybersecurity solutions.'' FFL 
emphasized that the effectiveness of the Pilot Program should be 
measured by progress made toward the implementation of solutions and 
tactics known to increase resiliency to attacks, not by the presence or 
characteristics of cyberattacks or applicant responses during an 
applicant's participation in the Pilot. CTIA suggested that the 
reporting requirements use standardized metrics to obtain a common 
baseline of data across participants to aid in program evaluation.
    100. Some commenters provided detailed recommendations about the 
reporting metrics the Commission should use to gather and report Pilot 
data. CrowdStrike, for example, stated that one promising evaluation 
metric is mean time to detection and response, and suggested that the 
Commission designate a ``control group'' of similar organizations to 
assess Pilot success. Rubrik proposed a variety of metrics to measure 
Pilot effectiveness, such as the ability to quickly recover from a 
cyber event; identify sensitive data on the network where it resides 
and determine who has access to it; and test cyber recovery 
functionality to properly plan for a cyber event. The City of New York 
Office of Technology and Innovation (City of NY OTI) suggested specific 
metrics that could include ``Mean Time to Detect''; ``Mean Time to 
Response''; ``False Positive Rate''; ``True Positive Rate''; and 
``Investigation Rate to Incident Containment Rate.''
    101. Based on the record, the Commission adopts the requirement for 
initial, annual, and final reporting so that Pilot participants 
evaluate and report on their cybersecurity readiness before they begin 
participation in, during, and after the Pilot Program and it directs 
the Bureau to add a certification as part of the data collection 
requirements that will require participants to certify to the accuracy 
of the information reported and define mechanisms for enforcement. 
Specifically, after providing an initial baseline assessment using 
information that includes the reporting requirements for the second 
part of the application process, Pilot participants will be required to 
submit annual reports, followed by a final report at the completion of 
the program. In establishing these periodic reporting requirements, the 
Commission seeks to balance its need for gathering the data necessary 
to evaluate the goals and success of the Pilot with commenters' 
recommendations that it minimize the burden on Pilot participants to 
the extent possible. The Commission finds that tracking and evaluating 
participants' cybersecurity progress over the course of the Pilot will 
be essential in helping us determine whether and how to fund schools' 
and libraries' cybersecurity needs through the E-Rate program or 
another universal service program on an ongoing basis. Information 
contained in initial, annual, and final reports will be presumptively 
confidential; however, the Commission does plan to use school or 
library data as a tool to evaluate the Pilot and determine next steps. 
Additionally, at its discretion, the Commission may create for public 
release a version of this information that is aggregated, anonymized, 
or otherwise not subject to protection from disclosure under the 
Freedom of Information Act. The Commission requires Pilot participants 
to submit each annual report no later than 60 days following the 
conclusion of each year (i.e., year one and year two) of the Pilot 
Program, and to submit their final report no later than 60 days 
following the conclusion of the last year (i.e., year three) of the 
Pilot Program. To accomplish the goal of periodic reporting by Pilot 
participants, the Commission delegates to the Bureau the authority to 
use school and library data to evaluate the Pilot, as well as the 
authority to create and release a public version of this information. 
The Commission also directs the Bureau to release a Public Notice (or 
multiple Public Notices, as needed) detailing the specific information 
to be provided by Pilot participants, additional detail regarding the 
timing for the submission of these reports, and to consider developing 
a standardized reporting form and publicizing its availability. In 
developing the required reporting metrics, the Commission directs the 
Bureau to consult with OEA and relevant Federal partners to identify 
those metrics that will best serve the

[[Page 61303]]

needs of the Pilot and allow the Commission to evaluate whether and to 
what extent the Pilot succeeded in meeting the three performance goals. 
The Bureau should, to the extent practicable, and subject to approval 
from OMB, make the data reporting requirements available to Pilot 
participants prior to the availability of the Pilot FCC Form 470 to 
enable participants to consider whether there is any required 
information that they may need to obtain from their vendor(s) during 
the competitive bidding process.
    102. Finally, in making these data reporting recommendations, a few 
commenters expressed concerns about protecting both the sensitive 
nature of the data and insulating Pilot applicants and participants 
from malicious cybersecurity actors who would use the data for 
nefarious purposes. The Commission is sensitive to and agree with these 
concerns and have measures in place to protect the school- and library-
specific cybersecurity data it requests as part of the Pilot Program. 
Specifically, the Commission finds that the information provided by 
Pilot participants in the initial, annual, and final reports required 
by the Pilot constitutes sensitive business information and the reports 
may also contain trade secrets. The Commission therefore will treat 
this information as presumptively confidential under its rules and 
withhold it from public inspection. In addition, the Commission has 
elected to bifurcate the application process, seeking a more general 
level of cybersecurity information from applicants and leaving the more 
detailed cybersecurity reporting for Pilot participants. Taken 
together, the Commission expects that these measures will alleviate 
commenters' concerns about protecting Pilot applicants' and 
participants' sensitive information regarding cybersecurity threats and 
readiness.
    103. Pilot Program reports. The Commission directs the Bureau, in 
consultation with OEA, to review the reports submitted by Pilot 
participants and publish one interim report during the three-year Pilot 
and a final report after the Pilot has concluded. The interim report 
will, at a minimum, provide a summary of funding commitments and 
disbursements to-date and provide an update on progress toward the 
Pilot Program's performance goals. The final report will, at a minimum, 
provide a summary of funding disbursements, evaluate the Pilot 
Program's success in meeting each performance goal, and identify 
lessons learned. Recognizing the sensitivity of the information 
provided by Pilot applicants and participants, the Commission directs 
the Bureau to follow procedures for confidential information, including 
aggregating the information as necessary. The Commission directs the 
Bureau to publish the interim report no later than 180 days after Pilot 
participants submit their second (i.e., year two) annual reports and to 
publish the final report no later than 180 days after Pilot 
participants submit their final (i.e., year three) reports.
    104. The Commission provides a path for recourse to parties 
aggrieved by decisions issued by USAC as a result of, or during, the 
Pilot. Specifically, the Commission adopts appeal and waiver request 
rules consistent with those that govern USAC's administration of the 
USF programs, including the E-Rate program. The Commission finds these 
existing processes sufficient to provide a meaningful review of 
decisions issued by USAC and the Commission regarding the Pilot. 
However, the Commission makes one modification for the Pilot Program 
appeal and waiver rules and provide a 30-day timeframe to request the 
review of an action by USAC, or to request the review of a decision by 
USAC or a waiver of the Commission's rules. Despite assertions from 
some commenters that modifying the rules in this manner would limit 
Pilot participant flexibility and is unnecessary in this context, the 
Commission thinks this change will benefit Pilot participants (and the 
program generally) by providing faster timeframes for appeal and waiver 
decisions and final Pilot funding decisions. Additionally, the 
Commission finds that a 30-day timeframe is appropriate given the 
limited three-year duration of the Pilot Program.
    105. The Commission concludes that the Commission has legal 
authority to establish a Pilot Program that provides USF support for 
cybersecurity services and equipment to eligible schools and libraries. 
As a preliminary matter, in the Cybersecurity NPRM, it tentatively 
concluded that the Commission has sufficient legal authority for 
funding cybersecurity services and equipment for schools and libraries 
pursuant to sections 254(c)(1), (c)(3), (h)(1)(B), and (h)(2) of the 
Act. The Commission noted that the Pilot is consistent with Congress's 
view that the USF represents an evolving level of service, informing 
potential future actions that the Commission would take to further its 
obligation to ``establish periodically'' universal service rules that 
``tak[e] into account advances in telecommunications and information 
technologies and services.'' Additionally, the Commission noted that 
the existing record supported the view that the Pilot is ``technically 
feasible and economically reasonable'' as required by section 
254(h)(2)(A) of the Act. The Commission also noted that the proposed 
Pilot appeared consistent with section 254(c)(3) of the Act, which 
grants the Commission authority to ``designate additional services for 
[USF] support . . . for schools [and] libraries,'' as the Pilot would 
allow for the designation of additional services that may be used by 
participating schools and libraries based on USF funding. In the 
Cybersecurity NPRM, the Commission sought additional comment on such 
views and on the other sources of legal authority, such as the extent 
to which the Pilot fulfills the Commission's mandate to make 
``[q]uality services'' available at just, reasonable, and affordable 
rates, and the limits and restrictions that it should place on 
recipients of Pilot funds to remain within the statutory authority.
    106. Commenters generally supported its conclusion that sufficient 
legal authority exists for the creation of this Pilot Program. In 
particular, commenters agreed that universal service is an ``evolving 
level of telecommunications services,'' and noted that the Pilot-
supported services and equipment ``reflect ongoing advances in schools 
and libraries broadband networks and services.'' Furthermore, Cisco 
stated that enhanced cybersecurity services and equipment strengthens 
and ensures access to and usability of broadband networks, supporting 
the Act's mandate that the Commission enhance access to advanced 
telecommunications and information services for schools and libraries. 
Cisco also noted that the scale and number of cybersecurity threats and 
attacks increased during the pandemic, as schools shifted to heavier 
reliance on technology services, and ``such changed circumstances 
support consideration of a change in the Commission's policy with 
respect to the funding of cybersecurity measures for schools and 
libraries,'' in furtherance of Congress's mandate ``to take into 
account evolving technologies and to designate additional services to 
support enhanced connectivity for schools and libraries.''
    107. It agrees with these assessments, and affirm its conclusion in 
the Cybersecurity NPRM that the Commission has sufficient legal 
authority to use universal service funds to support cybersecurity 
services and equipment for eligible schools and libraries, for several 
reasons. First, the Commission agrees that providing

[[Page 61304]]

support for cybersecurity services and equipment fulfills its mandate 
under section 254(c)(1) of the Act to periodically refine universal 
service to take into account advances in technology and services. As 
CoSN points out, the Pilot Program will provide support for new 
services and equipment that reflect advances in school networking 
technology. By studying how best universal service funds can be used to 
support E-Rate-funded networks and data, the Pilot enables us to refine 
universal service in today's modern educational environment, pursuant 
to section 254(c)(1) of the Act.
    108. Second, the Commission finds that Pilot funds will be used for 
``educational purposes,'' pursuant to section 254(h)(1)(B) of the Act. 
E-Rate rules require schools and libraries to use eligible services 
``primarily for educational purposes,'' defined for schools as 
``activities that are integral, immediate, and proximate to the 
education of students,'' and for libraries as ``activities that are 
integral, immediate, and proximate to the provision of library services 
to library patrons.'' Pilot funds will help ensure that school and 
library connections are reliable and not disrupted by cyberattacks, and 
will further protect the sensitive data often stored on those networks. 
As such, use of Pilot funds serves an educational purpose, by promoting 
the education of students, or the provision of library services to 
library patrons, free from disruption, cyberattack, or theft of 
sensitive data, pursuant to its mandate under section 254(h)(1)(B) of 
the Act.
    109. Furthermore, the Commission concludes that the use of 
universal service support for advanced firewalls and other 
cybersecurity services and equipment for educational purposes fits 
within the Commission's authority and direction under section 
254(h)(1)(B) of the Act to designate ``services that are within the 
definition of universal service under subsection (c)(3),'' which 
authorizes the Commission to designate non-telecommunications services 
for support. In the First Universal Service Order, 62 FR 32862, June 
17, 1997, the Commission found that sections 254(h)(1)(B) through 
254(c)(3) of the Communications Act authorizes universal service 
support for telecommunications services and additional services such as 
information services. The Commission therefore finds that, to the 
extent any of the advanced firewall or cybersecurity services are not 
telecommunications services, those services nevertheless can be 
purchased with universal service support pursuant to section 
254(h)(1)(B) of the Act. In addition, sections 254(h)(1)(B) through 
254(c)(3) of the Act provides authority to support the advanced 
firewall and cybersecurity equipment that the Pilot will fund to 
protect E-Rate-funded networks and data. In the First Universal Service 
Order, the Commission concluded that ``we can include `the information 
services,' e.g., protocol conversion and information storage, that are 
needed to access the internet, as well as internal connections, as 
`additional services' that section 254(h)(1)(B), through section 
254(c)(3), authorizes us to support.'' The Commission further 
distinguished between ineligible types of peripheral equipment (e.g., 
laptops) and eligible equipment that is necessary to make the services 
functional. Therefore, the Commission also finds that because advanced 
firewall and cybersecurity equipment are critical to support the 
services that will protect E-Rate-funded networks and data, they fall 
into the latter category and it therefore concludes that the Commission 
has authority under sections 254(h)(1)(B) through 254(c)(3) of the Act 
to support the purchase of advanced firewall and cybersecurity 
equipment for educational purposes.
    110. Additionally, the Commission has concluded that, pursuant to 
sections 4(i) and 254(c)(1), (c)(3), (h)(1)(B), and (h)(2) of the Act, 
E-Rate-supported services can be provided by both telecommunications 
carriers and non-telecommunications carriers. In reaching this 
conclusion, the Commission determined that section 254(h)(1)(B)'s 
requirement that discounts for services be provided to 
``telecommunications carriers'' does not ``stand as a bar to its 
authority to allow non-telecommunications providers to provide such 
services and participate in the E-rate program'' under sections 
254(h)(2)(A) and 4(i) because limiting the eligibility of such services 
to only those provided by telecommunications carriers would ``unduly 
limit the flexibility of schools and libraries to select the most cost-
effective broadband solutions to meet their needs, which would be 
inconsistent with its schools and libraries policies.'' Moreover, 
permitting the provision of such services by both telecommunications 
and non-telecommunications carriers ``enhances access to advanced 
telecommunications and information services for public and non-profit 
elementary and secondary school classrooms and libraries.'' Consistent 
with this authority, the Commission likewise allow Pilot participants 
to purchase eligible services and equipment from both 
telecommunications and non-telecommunications providers because it will 
provide Pilot participants with greater access and flexibility to 
select the best option at lower costs.
    111. Third, and separately, the Commission affirms its authority 
under section 254(h)(2)(A) of the Act, as the Pilot will enhance access 
to advanced telecommunications and information services for elementary 
and secondary school classrooms and libraries. The use of Pilot-
supported services to protect school and library broadband networks 
further enhances school classroom and library access to other advanced 
telecommunications and information services. Specifically, the 
Commission agree with CoSN that ``cyberattacks throttle or completely 
thwart the ability of schools and libraries to use the `advanced 
telecommunications and information services' promised by the Act.'' 
Supporting cybersecurity services through the Pilot will enable and 
encourage participants to make full use of their connectivity services, 
with the reassurance that their broadband networks and services, and 
the information contained in them is protected. The Commission finds 
this to be true even for use of school-owned devices used for 
educational purposes outside of the school, for example, in a student's 
home. Section 254(h)(2)(A)'s reference to ``classrooms'' is not 
prohibitive to the use of E-Rate support for off-premises use. The 
statute directs the Commission to establish rules to enhance access 
``for all public and nonprofit elementary and secondary school 
classrooms . . . and libraries.'' Notably, the text does not say to 
enhance access to services ``at'' or ``in'' school classrooms (or 
libraries), as would more naturally indicate a tie to a physical 
location. As such, the statute permits funding of services that enhance 
access for school classrooms and libraries, even if such services are 
used off-premises. Accordingly, the Pilot can support the purchase of 
advanced firewall and cybersecurity services and equipment for use on 
school-owned devices for educational purposes, even if those devices 
may be used off-premises.
    112. Lastly, the Commission finds that the Pilot Program is 
economically reasonable, and a prudent use of the limited universal 
service funds. The Commission has previously found expanding the types 
of cybersecurity services and equipment beyond basic firewall services 
to be cost-prohibitive to the E-Rate program. Since then, however, the 
COVID-19 pandemic

[[Page 61305]]

changed how K-12 schools and libraries use their broadband networks for 
educational purposes, and K-12 schools and libraries increasingly find 
themselves prime targets for cybersecurity threats and attacks by 
malicious actors who seek to exploit the schools' and libraries' 
networks and data. In light of such developments, as well as an 
increased cap for E-Rate funding, exploring expanding funding for 
cybersecurity services and equipment beyond basic firewalls is now 
prudent to determine whether there is more the Commission can do to 
protect schools' and libraries' E-Rate-funded broadband networks. 
Furthermore, by conducting a limited Pilot, the Commission can best 
determine whether it can support these essential services without 
jeopardizing the ability of the E-Rate program to continue to support 
the connectivity of school and library broadband networks. Generally, 
commenters were in favor of increasing funding to support cybersecurity 
services beyond basic firewalls. For example, CIS recommended that the 
Commission ``allow funding for any cybersecurity protection that 
improves or enhances the cybersecurity of an organization.'' Cisco 
stated that ``enhanced cybersecurity and advanced firewalls are needed 
for the delivery of reliable and useable broadband connectivity to 
students and educators'' and funding such services is ``consistent with 
the public interest, convenience, and necessity.'' As a result, the 
Commission finds funding cybersecurity services and equipment through 
the Pilot to be a prudent use of the limited USF support and conclude 
that the Pilot is economically reasonable pursuant to section 
254(h)(2)(A) of the Act.
    113. The Commission concludes that the requirements of the 
Children's internet Protection Act (CIPA) are triggered by the purchase 
of eligible services or equipment through the Pilot Program. As it has 
explained in the E-Rate and ECF programs, CIPA applies to the use of 
school- or library-owned computers, including laptop and tablet 
computers, if the school or library accepts support for services and 
equipment that are used for internet access, internet services, or 
internal connections. As discussed in the Cybersecurity NPRM, Congress 
enacted CIPA to protect children from exposure to harmful material 
while accessing the internet from a school or library, and CIPA 
prohibits certain schools and libraries having computers with internet 
access from receiving funding under section 254(h)(1)(B) of the Act 
unless they comply with specific internet safety requirements. Its 
determination that CIPA is applicable to the Pilot Program is 
consistent with past Commission decisions in the E-Rate program and E-
Rate ESLs which have included both basic firewall services provided as 
a standard component of a vendor's internet access service as category 
one internet access services, and standalone basic firewall services 
and components as category two internal connections services. Because 
the cybersecurity services and equipment it makes eligible under the 
Pilot Program serve functions equivalent to that of the basic firewall 
services currently supported by the E-Rate program, the Commission 
treats them similarly, either as standalone internal connections or as 
components of internet access. The Commission therefore concludes that 
the provision of Pilot support is also governed by sections 
254(h)(5)(A)(i) and 254(h)(6)(A)(i) of the Act, and compliance with the 
CIPA internet safety requirements is a condition of the receipt of 
Pilot Program support. As with the E-Rate and ECF programs, the 
Commission also concludes that CIPA does not apply where schools or 
libraries have purchased services to be used only in conjunction with 
student-, school staff-, or library patron-owned computers. Also, 
consistent with the ECF program, the Commission finds that a Pilot 
participant need not complete additional CIPA compliance certifications 
if it has already certified its CIPA compliance for E-Rate support for 
the funding year preceding the start of the Pilot (i.e., it has 
certified its compliance in an E-Rate FCC Form 486 or FCC Form 479). If 
a Pilot participant has not previously certified its CIPA compliance in 
the E-Rate program, it will need to do so to qualify for Pilot Program 
support or certify that it is taking actions to come into compliance 
with the CIPA requirements.
    114. In order to ease program administration, the Commission 
delegates to the Bureau, consistent with the goals of the Pilot 
Program, the authority to waive certain program deadlines, clarify any 
inconsistencies or ambiguities in the Pilot Program rules, adjust Pilot 
project funding commitments, or to perform other administrative tasks 
as may be necessary for the smooth implementation, administration, and 
operation of the Pilot Program. The Commission also delegates to the 
Bureau the authority to grant limited extensions of deadlines to Pilot 
projects, and other authority as may be necessary to ensure a 
successful Pilot Program.
    115. In addition, the Commission delegates financial, information 
security, and privacy oversight of the Pilot Program to OMD and OGC, 
and direct OMD and OGC to work in coordination with the Bureau to 
ensure that all financial, information security, and privacy aspects of 
the Pilot have adequate internal controls. These duties fall with OMD's 
current delegated authority to ensure that the Commission operates in 
accordance with Federal financial statutes and guidance. OMD performs 
this role with respect to USAC's administration of the Commission's 
universal service programs and it anticipates that OMD will leverage 
existing policies and procedures, to the extent practicable and 
consistent with the Pilot, to ensure the efficient and effective 
management of the program. Finally, it notes OMD is required to consult 
with the Bureau on any policy matters affecting the Pilot Program, 
consistent with Sec.  0.91(a) of the Commission's rules.
    116. The Commission directs the Bureau to conduct outreach to 
educate eligible schools and libraries about the Pilot Program, and to 
coordinate, as necessary, with other Federal agencies, and state, 
local, and Tribal governments. As supported by the record in this 
proceeding, the Commission also directs USAC to develop and implement a 
communications strategy, under the oversight of the Bureau, to provide 
training and information necessary for schools and libraries to 
successfully participate in the Pilot Program. Outreach, education, and 
engagement with Pilot Program applicants and, ultimately, selected 
Pilot participants will be an important tool in ensuring the Pilot 
Program is successful and meets its goals.
    117. The Commission recognizes that once implementation of the 
Pilot Program begins, the Bureau may encounter unforeseen issues or 
problems with the administration of the program that may need to be 
resolved. To promote maximum effectiveness and smooth administration of 
the Pilot Program, the Commission delegates to Bureau staff the 
authority to address and resolve such unforeseen administrative issues 
or problems, provided that doing so is consistent with the decisions it 
reached herein.

III. Procedural Matters

    118. Paperwork Reduction Act. This document contains new 
information collection requirements. The Commission, as part of its 
continuing effort to reduce paperwork burdens, will

[[Page 61306]]

invite the general public to comment on the information collection 
requirements contained in the Order as required by the Paperwork 
Reduction Act of 1995, Public Law 104-13. In addition, the Commission 
notes that pursuant to the Small Business Paperwork Relief Act of 2002, 
Public Law 107-198, see 44 U.S.C. 3506(c)(4), the Commission previously 
sought specific comment on how the Commission might further reduce the 
information collection burden for small business concerns with fewer 
than 25 employees.
    119. Congressional Review Act. The Commission has determined, and 
the Administrator of the Office of Information and Regulatory Affairs, 
OMB, concurs, that this rule is ``non-major'' under the Congressional 
Review Act, 5 U.S.C. 804(2). The Commission will send a copy of the 
Order to Congress and the Government Accountability Office pursuant to 
5 U.S.C. 801(a)(1)(A).
    120. Regulatory Flexibility Act. As required by the Regulatory 
Flexibility Act of 1980, as amended (RFA), an Initial Regulatory 
Flexibility Analysis (IRFA) was incorporated in the Cybersecurity NPRM, 
released in November of 2023. The Federal Communications Commission 
(Commission) sought written public comment on the proposals in the 
Cybersecurity NPRM, including comment on the IRFA. No comments were 
filed addressing the IRFA. This Final Regulatory Flexibility Analysis 
(FRFA) conforms to the RFA.
    121. The Nation's K-12 schools and libraries increasing rely on 
remote, digital learning technologies to connect students, teachers, 
and library patrons to information, jobs, and other vital learning 
opportunities. This shift has increased the extent to which schools and 
libraries rely on networks to connect with student and patrons. This 
shift has also made school and library networks prime targets for 
cybersecurity threats and attacks. When these attacks occur, they have 
the potential to disrupt school and library operations, resulting in a 
loss of learning, reductions in available bandwidth, significant 
monetary losses, and the potential for the leak and theft of personal 
information and confidential data associated with students, school 
staff and library patrons.
    122. The Nation's eligible schools, libraries, and consortia 
(comprised of eligible schools and libraries) may request universal 
service discounts for services and equipment to support their network 
connectivity, including telecommunications services, internet access, 
and internal connections, through the Commission's E-Rate program. The 
E-Rate program was created by the Commission in 1997 in response to the 
Telecommunications Act of 1996. The E-Rate program currently funds 
basic firewall service provided as part of the vendor's internet 
service as a category one service and separately-priced basic firewalls 
as a category two service. The E-Rate program, however, does not 
currently fund advanced firewalls or other cybersecurity services and 
equipment that have increasingly been requested by commenters to 
protect school and library networks from cyber harms over the years.
    123. In the Order, the Commission establishes a three-year Pilot 
Program (Pilot or Pilot Program) funded at $200 million, within the USF 
but separate from the E-Rate program, to enable it to assess the costs 
and benefits of utilizing universal service funds to support schools' 
and libraries' cybersecurity needs and how other Federal resources 
could be leveraged to ensure that these needs are addressed in the most 
efficient and effective manner. One objective of the Pilot is to help 
participants acquire cybersecurity services and equipment, including 
many of the equipment and services that have specifically been 
requested by commenters in the record, to improve the security of their 
broadband networks and data. Another objective of the Pilot is to 
measure the costs and effectiveness of cybersecurity services and 
equipment. By making a wide range of cybersecurity services and 
equipment eligible for USF support, the Pilot will enable the 
Commission to gather data on the associated cost and effectiveness of 
various solutions. A further objective of the Pilot is to evaluate how 
to best leverage other available low-cost and free Federal resources to 
help schools and libraries proactively address K-12 cybersecurity 
risks. To ensure that these objectives can be met, the Commission also 
adopts requirements that Pilot participants provide initial, annual, 
and final reports so that Pilot participants can be evaluated for their 
cybersecurity readiness before they begin participation in, during, and 
after the conclusion of the Pilot Program. By taking these actions, the 
Commission will be able to better to fulfill its obligation to ensure 
that schools and libraries have access to advanced telecommunications, 
as provided for by Congress in the 1996 Act.
    124. In addition, the Order finalizes several aspects of the 
structure and administration of the Pilot based on the proposals made 
in the Cybersecurity NPRM. For example, the Pilot establishes: (1) that 
schools and school districts will be eligible to receive up to $13.60 
per student, annually, on a pre-discounted basis, to purchase eligible 
cybersecurity services and equipment, with a pre-discount annual 
funding floor of $15,000 and a pre-discount annual funding maximum of 
$1.5 million; (2) a pre-discount annual budget of $15,000 per library, 
with the provision that library systems with more than 11 sites will be 
eligible for support up to a pre-discount maximum of $175,000 annually; 
and (3) that consortia participants comprised of eligible schools and 
libraries are eligible to receive funding based on student count (using 
the annual pre-discount $13.60 per student multiplier) and the number 
of library sites (using the $15,000 per library pre-discount annual 
budget) subject to either the pre-discount $175,000 annual budget 
maximum for library systems or pre-discount $1.5 million annual budget 
maximum for schools depending on the consortium's constituency. While 
these budgets, including associated maximums and floors, are specified 
in terms of annualized dollar amounts, participants' expenses are 
capped based on the full three-year duration of the Pilot and not on an 
annual basis. Thus, Pilot participants may request reimbursement for 
expenses as they are incurred even if it means that the amount of 
funding disbursed to a participant in a given year of the program 
exceeds their annual budget, so long as the total amount disbursed to a 
participant over the three-year term does not exceed three times that 
annual budget. The Pilot requires participants to contribute a portion 
of the costs of the cybersecurity services and equipment they seek to 
purchase with Pilot Program support, similar to the non-discount share 
that E-Rate applicants are required to contribute to the cost of their 
eligible services and equipment. The Commission also permits all 
eligible schools and libraries, including those that do not currently 
participate in the E-Rate program, to apply to participate in the 
Pilot.
    125. The Commission also adopts a P-ESL in the Order, which 
specifies eligible cybersecurity services and equipment for the Pilot. 
The P-ESL deems services and/or equipment eligible if they constitute a 
protection designed to improve or enhance the cybersecurity of a K-12 
school, library, or consortia. To provide clarity and specificity to 
small entity and other participants, the P-ESL also enumerates as 
eligible, in a non-limiting manner, four categories of technology 
raised by

[[Page 61307]]

commenters as effective in combatting cyber threats, namely, (i) 
advanced/next-generation firewalls; (ii) endpoint protection; (iii) 
identity protection and authentication; and (iv) monitoring, detection, 
and response. For purposes of the Pilot, the Commission defines: (i) an 
``advanced'' or ``next-generation'' firewall as equipment, services, or 
a combination of equipment and services, that limits access between 
networks, excluding basic firewalls that are funded through the 
Commission's E-Rate program; (ii) endpoint protection as equipment, 
services, or a combination of equipment and services that implements 
safeguards to protect school- and library-owned end-user devices, 
including desktops, laptops, and mobile devices, against cybersecurity 
threats and attacks; (iii) identity protection and authentication as 
equipment, services, or a combination of equipment and services that 
implements safeguards to protect a user's network identity from theft 
or misuse and/or provide assurance about the network identity of an 
entity interacting with a system; and (iv) monitoring, detection, and 
response as equipment, services, or a combination of equipment and 
services that monitor and/or detect threats to a network and that take 
responsive action to remediate or otherwise address those threats. 
Through the list of examples provided in the P-ESL, the Commission 
confirms that a wide range of services and equipment that it had 
proposed for inclusion in the Cybersecurity NPRM, or that commenters 
had otherwise requested, are eligible. In the Order, the Commission 
describes that eligibility is limited to equipment that is network-
based (i.e., that excludes end-user devices, including, for example, 
tablets, smartphones, and laptops) and services that are network-based 
and/or locally installed on end-user devices, where the devices are 
owned or leased by the school or library, and where equipment and 
services are designed to identify and/or remediate threats that could 
otherwise directly impair or disrupt a school's or library's network, 
including to threats from users accessing the network remotely.
    126. In the Order, it explains that ineligible costs include, among 
other things, (i) any equipment, service, or other related cost that is 
eligible in the Commission's E-Rate program eligible services list in 
the corresponding E-Rate funding year for which Pilot reimbursement is 
sought, (ii) any equipment, service, or other related cost, or portion 
thereof, for which a participant has already received reimbursement in 
full or in part, or plans to apply for reimbursement in full or in 
part, through any other USF or Federal, state, or local program, and 
(iii) any equipment or services prohibited by the Secure and Trusted 
Communications Networks Act of 2019, Public Law 116-124, 134 Stat. 158 
(2020) (codified as amended at 47 U.S.C. 1601-1609) (Secure Networks 
Act) or the Commission's rules, including Sec. Sec.  54.9 and 54.10 of 
the Commission's rules, that implement the Secure Networks Act.
    127. The Commission designates USAC to be the Administrator for the 
Pilot. The Commission requires applicants to submit part one of a FCC 
Form 484 application describing its proposed Pilot project and 
providing information to facilitate the evaluation and eventual 
selection of high-quality projects for inclusion in the Pilot. To 
facilitate the inclusion of a diverse set of Pilot projects and to 
target Pilot funds to the populations most in need of cybersecurity 
support, the Commission anticipates selecting projects from, and 
providing funding to, a combination of large and small and urban and 
rural schools, libraries, and consortia, with an emphasis on funding 
proposed Pilot projects that include low-income and Tribal applicants. 
Further, the Commission encourages participation in the Pilot by a 
broad range of service providers and do not discourage new companies 
from participating, nor does it require service providers to have 
preexisting service provider identification numbers (SPIN) before 
submitting cybersecurity bids or previous E-Rate experience before 
participating in the Pilot.
    128. In the Order, the Commission describes that it will direct 
funding to: (1) the neediest eligible schools, libraries, and consortia 
who will benefit most from cybersecurity funding (i.e., those at the 
highest discount rate percentages); (2) as many eligible schools, 
libraries, and consortia as possible; (3) those schools, libraries, and 
consortia that include Tribal entities; and (4) a mix of large and 
small and urban and rural, schools, libraries, and consortia. This will 
ensure that the Pilot contains a diverse cross-section of applicants 
with differing cybersecurity postures and experiences. In the event 
that number of FCC Form 484 applications received exceeds the number of 
projects that can be funded through the Pilot, the Commission will 
prioritize selection of Pilot participants by considering their funding 
needs in combination with the funding needs of the same type(s) of 
applicants with an eye toward selecting Pilot participants with 
differing levels of exposure to cybersecurity threats and attacks. In 
the event that there is insufficient funding to select all of the Pilot 
participants at a particular discount rate, the Commission will 
prioritize the selection of Pilot participants within the discount rate 
using the percentage of students who are eligible for free and reduced 
lunches within each applicant's school district. Funding for libraries 
will be prioritized based on the percentage of free and reduced lunch 
eligible students in the school district that is used to calculate the 
library's discount rate. Funding for individual schools that are not 
affiliated financially or operationally with a school district, such as 
private or charter schools that apply individually, will be prioritized 
based on each school's individual free and reduced student lunch 
eligible population.
    129. In the Order, the Commission directs the Bureau and the 
Universal Service Administration Company (USAC or the Administrator) to 
model the Pilot processes and forms on existing E-Rate and ECF 
programs' processes and forms to the extent possible for the Pilot 
Program. The Commission expects the Bureau and USAC to leverage the 
following Pilot forms, that will mirror existing E-Rate and ECF forms: 
(1) FCC Form 470 (Description of Services Requested and Certification 
Form); (2) FCC Form 471 (Description of Services Ordered and 
Certification Form); (3) FCC Form 472 (Billed Entity Applicant 
Reimbursement (BEAR) Form); and (4) FCC Form 474 (Service Provider 
Invoice (SPI) Form).
    130. To protect the integrity of the Pilot, and safeguard universal 
service funds, the Commission implements a number of program integrity 
protections. For example, it implements document retention requirements 
and a prohibition on gifts, and the Commission requires applicants 
provide certain certifications and be subject to auditing. The 
Commission has modeled these provisions after its E-Rate processes to 
protect the Pilot and ensure the limited program funding is used for 
its intended purposes. The Commission also applies its existing 
suspension are debarment rules to the Pilot. The Commission also 
delegates to Bureau the authority to address and resolve a number of 
matters, including unforeseen administrative issues or problems, 
provided that doing so is consistent with the decisions it reached in 
the Order. The Commission expects that this action will allow the 
Bureau and USAC to reduce any undue burdens on applicants and other 
individual and entities involved in the Pilot Program,

[[Page 61308]]

while ensuring that all program goals are efficient and effectively 
satisfied.
    131. There were no comments filed that specifically address the 
proposed rules and policies presented in the IRFA.
    132. Pursuant to the Small Business Jobs Act of 2010, which amended 
the RFA, the Commission is required to respond to any comments filed by 
the Chief Counsel for Advocacy of the Small Business Administration 
(SBA), and to provide a detailed statement of any change made to the 
proposed rules as a result of those comments. The Chief Counsel did not 
file any comments in response to the proposed rules in this proceeding.
    133. The RFA directs agencies to provide a description of and, 
where feasible, an estimate of the number of small entities that may be 
affected by the rules adopted herein. The RFA generally defines the 
term ``small entity'' as having the same meaning as the terms ``small 
business,'' ``small organization,'' and ``small governmental 
jurisdiction.'' In addition, the term ``small business'' has the same 
meaning as the term ``small business concern'' under the Small Business 
Act. A small business concern is one that: (1) is independently owned 
and operated; (2) is not dominant in its field of operation; and (3) 
satisfies any additional criteria established by the Small Business 
Administration (SBA).
    134. Small Businesses, Small Organizations, Small Governmental 
Jurisdictions. The Commission's actions, over time, may affect small 
entities that are not easily categorized at present. The Commission 
therefore describes, at the outset, three broad groups of small 
entities that could be directly affected herein. First, while there are 
industry specific size standards for small businesses that are used in 
the regulatory flexibility analysis, according to data from the Small 
Business Administration's (SBA) Office of Advocacy, in general a small 
business is an independent business having fewer than 500 employees. 
These types of small businesses represent 99.9% of all businesses in 
the United States, which translates to 33.2 million businesses.
    135. Next, the type of small entity described as a ``small 
organization'' is generally ``any not-for-profit enterprise which is 
independently owned and operated and is not dominant in its field.'' 
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 
or less to delineate its annual electronic filing requirements for 
small exempt organizations. Nationwide, for tax year 2022, there were 
approximately 530,109 small exempt organizations in the U.S. reporting 
revenues of $50,000 or less according to the registration and tax data 
for exempt organizations available from the IRS.
    136. Finally, the small entity described as a ``small governmental 
jurisdiction'' is defined generally as ``governments of cities, 
counties, towns, townships, villages, school districts, or special 
districts, with a population of less than fifty thousand.'' U.S. Census 
Bureau data from the 2022 Census of Governments indicate there were 
90,837 local governmental jurisdictions consisting of general purpose 
governments and special purpose governments in the United States. Of 
this number, there were 36,845 general purpose governments (county, 
municipal, and town or township) with populations of less than 50,000 
and 11,879 special purpose governments (independent school districts) 
with enrollment populations of less than 50,000. Accordingly, based on 
the 2022 U.S. Census of Governments data, the Commission estimates that 
at least 48,724 entities fall into the category of ``small governmental 
jurisdictions.''
    137. Small entities potentially affected by the rules herein are 
Schools, Libraries, Telecommunications Resellers, Local Resellers, 
Wired Telecommunications Carriers, All Other Telecommunications, 
Wireless Telecommunications Carriers (except Satellite), Wireless 
Carriers and Service Providers, Wired Broadband internet Access Service 
Providers (Wired ISPs), Wireless Broadband internet Access Service 
Providers (Wireless ISPs or WISPs), internet Service Providers (Non-
Broadband), Vendors of Infrastructure Development or Network Buildout, 
Telephone Apparatus Manufacturing, Custom Computer Programming 
Services, Other Computer Related Services (Except Information 
Technology Value Added Resellers), Information Technology Value Added 
Resellers, Software Publishers.
    138. While the Commission sought to minimize compliance burdens on 
small entities where practicable, the rules adopted in the Order will 
impose new or additional reporting, recordkeeping, and/or other 
compliance obligations on small entities that participate in the Pilot 
Program. The adopted rules encompass a broad range of Pilot-related 
compliance requirements that are summarized in further detail below.
    139. Application process. The purpose of the Pilot Program is to 
better assess the costs and benefits of utilizing universal service 
funds to support schools' and libraries' cybersecurity needs and how 
other Federal resources could be leveraged to ensure that these needs 
are addressed in the most efficient and effective manner. To do so, the 
Commission requires Pilot applicants to submit, as part of their 
application to participate in the Pilot, part one (out of two parts) of 
a new FCC Form 484 application, including by completing appropriate 
certifications. In this first part of the application, an applicant 
will provide a general level of cybersecurity information about itself 
and its proposed Pilot project, and will use pre-populated data, as 
well as a number of ``yes/no'' questions and questions with a 
predetermined set of responses (i.e., multiselect questions with 
predefined answers). The applicant will explain how its proposed 
project meets a number of criteria outlined in the Order. In addition, 
the applicant must present a clear strategy for addressing the 
cybersecurity needs of its K-12 school(s) and/or library(ies) pursuant 
to its proposed Pilot project, and clearly articulate how the project 
will accomplish the applicant's cybersecurity objectives. After 
selection for participation Pilot, participants shall submit to USAC a 
second part to the FCC Form 484, including by completing appropriate 
certifications. The second part will require that participants provide 
more detailed cybersecurity data and Pilot project information, 
including a description of the Pilot participant's current 
cybersecurity posture, information about the participant's planned 
use(s) for other Federal, state, or local cybersecurity funding (i.e., 
funding obtained outside of the Pilot), and information about a 
participant's history of cybersecurity threats and attacks within a 
year of the date of its application. Moreover, the Commission requires 
applications to be submitted through an online Pilot portal on USAC's 
website and direct the Bureau to issue a Public Notice that includes 
details and instructions on how to submit an application using the 
Pilot portal on USAC's website.
    140. Competitive Bidding, Requests for Services, and Invoicing and 
Reimbursement Processes. The Commission requires Pilot participants to 
provide information related to competitive bidding, requests for 
services and invoice and reimbursement information, including 
associated and appropriate certifications, using new Pilot Program 
forms that will mirror existing E-Rate and ECF forms: (1) FCC Form 470 
(Description of Services Requested and Certification Form);(2) FCC Form 
471 (Description of Services Ordered and Certification Form); (3) FCC 
Form 472 (Billed Entity Applicant Reimbursement (BEAR) Form); and (4)

[[Page 61309]]

FCC Form 474 (Service Provider Invoice (SPI) Form).
    141. Reporting Requirements. The Commission requires Pilot 
participants to submit initial, annual, and final reports. Applicants 
must provide an initial baseline assessment using information that 
includes the reporting requirements for the second part of the 
application process described.
    142. Document Retention Requirements. The Commission requires Pilot 
participants to retain all documents related to their participation in 
the Pilot Program sufficient to demonstrate compliance with all program 
rules for at least 10 years from the last date of service or delivery 
of equipment and to maintain asset and inventory records of services 
and equipment purchased sufficient to verify the actual location of 
such services and equipment for a period of 10 years after purchase. 
This rule requires that Pilot participants must retain documents 
regarding participation in the Pilot, including asset and inventory 
records, accumulated during the Pilot, for a period of 10 years. The 
Commission also requires Pilot participants to present such records 
upon request of any representative (including any auditor) appointed by 
a state education department, the Administrator, the Commission, its 
Inspector General, or any local, state, or Federal agency with 
jurisdiction over the entity.
    143. Pilot Program Certifications. As noted, the Commission 
requires participants to provide several certifications as part of 
their FCC Form 484 application, competitive bidding requirements, 
requests for services, and invoicing processes. Similarly, the 
Commission requires their selected service providers to provide 
certifications related to invoicing processes. The Commission also 
requires Pilot participants and service providers to certify that they 
are not seeking support or reimbursement for Pilot-eligible services 
and equipment that has been purchased and reimbursed from other 
Federal, state, Tribal, or local funding sources or that is eligible 
for discounts from E-Rate or another universal service program. Pilot 
participants and service providers must certify that they are seeking 
funding for only Pilot-eligible services and equipment.
    144. Other Delegations. As part of the Order, the Commission also 
delegates to Bureau the authority to address and resolve a number of 
procedural or administrative matters, including unforeseen 
administrative issues or problems, provided that doing so is consistent 
with the decisions it reached in the Order.
    145. The record does not include a detailed cost/benefit analysis 
that would allow the Commission to quantify the costs of compliance for 
small entities, including whether it will be necessary for small 
entities to hire professionals to comply with the adopted rules. 
However, as program participation by applicants and service providers 
is voluntary, and the Commission expects that Pilot participants will 
carefully weigh the benefits, costs, and burdens of participation to 
ensure that the benefits outweigh their costs. The Commission expects 
that there may be additional benefits that cannot be easily quantified, 
such as a reduction in learning downtime caused by cyberattacks, 
reputational benefits from increased trust in school and library 
systems, increased digital and cybersecurity literacy among students 
and staff, and the safeguarding of intellectual property. This limited 
Pilot Program will enable the Commission to evaluate the benefits of 
using universal service funding to fund cybersecurity services and 
equipment against the costs before deciding whether to support it on a 
permanent basis.
    146. The RFA requires an agency to provide, ``a description of the 
steps the agency has taken to minimize the significant economic impact 
on small entities . . . including a statement of the factual, policy, 
and legal reasons for selecting the alternative adopted in the final 
rule and why each one of the other significant alternatives to the rule 
considered by the agency which affect the impact on small entities was 
rejected.''
    147. In the Order, the Commission takes multiple steps that 
minimize economic impact on small entities related to the final rules 
it adopted. The Commission has sought to minimize economic impact on 
eligible small schools, libraries and consortia by dividing the process 
of completing the application form for participation in the Pilot (FCC 
Form 484) into two parts. By requiring that an applicant only complete 
the first part of the application form, which seeks more general 
information, with their initial application (i.e., prior to its 
decision about whether to approve the entity as a participant in the 
Pilot), the Commission minimizes the economic impacts associated with 
filling out the second part of the form in at least two ways. First, 
applicants that are not selected for participation in the Pilot will 
never be required to fill out the second portion of the form. Second, 
applicants that are selected will have additional time to gather and 
prepare their answers, as compared to an alternate approach where it 
could have required that the entire form be completed with the initial 
application.
    148. The Commission has also significantly minimized economic 
impacts on eligible small schools, libraries, consortia and service 
providers by modeling the Pilot processes and forms, including those 
related to competitive bidding, requests for services, and invoicing 
and reimbursement processes, on existing E-Rate and ECF processes and 
forms. This includes submitting applications using the Pilot portal on 
USAC's website. The Commission expects this action will meaningfully 
reduce any economic impact on small entities associated with completing 
information requested via these forms. First, the Commission expects 
that many small entity participants, including their potential 
consultants and advisors, and service providers will be familiar with 
the substance of the forms from their involvement with the Commission's 
E-Rate and ECF processes and forms. Second, the Commission expects that 
even those small entities that may not be involved with the E-Rate and 
ECF programs may benefit from the significant guidance and information 
that the Commission and USAC have issued over the years in those 
programs (e.g., trainings and instructions materials), that could also 
be relevant to the Pilot, including future guidance the Bureau will 
provide about the Pilot Program requirements through a Public Notice. 
Third, the Commission expects that these forms will generally be easy 
to use and efficient to complete based on its observation, made over 
many years, that forms with similar substance have proven effective in 
the Commission's E-Rate and ECF programs. The Commission thus expect 
its actions will significantly minimize any economic impact on small 
entities compared to an alternative approach where it developed Pilot 
processes and forms that were not related to those already developed in 
the Commission's E-Rate and ECF programs.
    149. The Commission has also designed its reporting requirements to 
minimize the economic impact on small entities while ensuring that it 
gathers the information necessary to achieve the goals and ensure the 
success of the Pilot. In particular, have required only annual 
reporting from participants during the duration of the Pilot rather 
than alternate approaches where it could have required either per-
incident ``real-time'' reports based on the occurrence of certain 
notable cyber

[[Page 61310]]

events or regular but more frequent (e.g., quarterly) reporting. To 
further reduce economic impacts on small entities the Commission has 
also directed the Bureau to consider the development of a standardized 
reporting form for use by Pilot participants.
    150. Additionally, the Commission has also delegated authority to 
the Bureau to address and resolve a number of matters, including 
unforeseen administrative issues or problems, provided that doing so is 
consistent with the decisions it reached in the Order. The Commission 
expects that that these delegations of authority will permit the Bureau 
and Administrator to take procedural actions, based on their experience 
gained managing the Pilot Program, to further reduce, wherever 
possible, economic impacts on small entities while still ensuring that 
all Pilot Program goals are effectively and efficiently satisfied.
    151. The Commission also will not require the use of specific 
Federal Government tools and resources in the Pilot as initially 
suggested in the Cybersecurity NPRM. Further, while several commenters 
support a shortened Pilot duration of either one year or eighteen 
months, the Commission adopts its proposed three-year Pilot Program 
because it will allow us a better opportunity to evaluate whether 
universal service support should be used to fund cybersecurity services 
and equipment on a permanent basis. In determining the share of costs, 
participants will use their category one discount rate to determine the 
non-discount share of costs, instead of the category two discount 
proposed in the Cybersecurity NPRM, allowing participants with the 
highest discount rate to be eligible for support for 90 percent of 
their costs.
    152. The Commission considered, but declined to adopt, proposals to 
abandon the traditional E-Rate reimbursement structure and instead 
provide ``seed'' money at the start of the Pilot, because requiring 
participants to contribute their funds toward eligible equipment and 
services helps to safeguard the integrity of the program and is 
consistent with processes in E-Rate and other universal service 
programs. However, for the Pilot, the Commission modifies the time to 
request appeal and waiver of an action by USAC to 30 days instead of 
the 60-day timeframe in the existing programs. Though commenters assert 
this will limit flexibility for participants, the Commission thinks the 
change is appropriate for the Pilot Program because it will allow for 
faster decisions in a program that has a limited duration.
    153. The Commission will send a copy of the Order, including this 
FRFA, in a report to Congress pursuant to the Congressional Review Act. 
In addition, the Commission will send a copy of the Order, including 
the FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the 
Order and FRFA (or summaries thereof) will also be published in the 
Federal Register.
    154. OPEN Government Data Act. The OPEN Government Data Act, 
requires agencies to make ``public data assets'' available under an 
open license and as ``open Government data assets,'' i.e., in machine-
readable, open format, unencumbered by use restrictions other than 
intellectual property rights, and based on an open standard that is 
maintained by a standards organization. This requirement is to be 
implemented ``in accordance with guidance by the Director'' of OMB. The 
term ``public data asset'' means ``a data asset, or part thereof, 
maintained by the Federal Government that has been, or may be, released 
to the public, including any data asset, or part thereof, subject to 
disclosure under [the Freedom of Information Act (FOIA)].'' A ``data 
asset'' is ``a collection of data elements or data sets that may be 
grouped together,'' and ``data'' is ``recorded information, regardless 
of form or the media on which the data is recorded.'' The Commission 
delegates authority, including the authority to adopt rules, to the 
Bureau, in consultation with the agency's Chief Data and Analytics 
Officer and after seeking public comment to the extent it deems 
appropriate, to determine whether any data assets maintained or created 
by the Commission pursuant to the rules adopted herein are ``public 
data assets'' and if so, to determine when and to what extent such 
information should be made publicly available to the extent the 
Commission has not done so. In doing so, the Bureau shall take into 
account the extent to which such data assets should not be made 
publicly available because they are not subject to disclosure under the 
FOIA.
    155. People with Disabilities. To request materials in accessible 
formats for people with disabilities (Braille, large print, electronic 
files, audio format), send an email to [email protected] or call the 
Consumer & Governmental Affairs Bureau at 202-418-0530 (voice).

IV. Ordering Clauses

    156. Accordingly, it is ordered, that pursuant to the authority 
contained in sections 1 through 4, 201 through 202, 254, 303(r), and 
403 of the Communications Act of 1934, as amended, 47 U.S.C. 151-154, 
201-202, 254, 303(r), and 403, the Report and Order is adopted 
effective August 29, 2024.
    157. It is further ordered, that pursuant to the authority 
contained in sections 1 through 4, 201 through 202, 254, 303(r), and 
403 of the Communications Act of 1934, as amended, 47 U.S.C. 151-154, 
201-202, 254, 303(r), and 403, part 54 of the Commission's rules, 47 
CFR part 54, is amended, and such rule amendments shall be effective 
August 29, 2024, except for Sec. Sec.  54.2004, 54.2005, 54.2006, and 
54.2008, which are delayed indefinitely. The Commission will publish a 
document in the Federal Register announcing the effective date for 
those sections after approved by the Office of Management and Budget as 
required by the Paperwork Reduction Act.

List of Subjects in 47 CFR Part 54

    Communications common carriers, Cybersecurity, Internet, Libraries, 
Reporting and recordkeeping requirements, Schools, Telecommunications, 
Telephone.

Federal Communications Commission.
Katura Jackson,
Federal Register Liaison Officer.

Final Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission amends part 54 of title 47 of the Code of 
Federal Regulations as follows:

PART 54--UNIVERSAL SERVICE

0
1. The authority citation for part 54 continues to read as follows:

    Authority: 47 U.S.C. 151, 154(i), 155, 201, 205, 214, 219, 220, 
229, 254, 303(r), 403, 1004, 1302, 1601-1609, and 1752, unless 
otherwise noted.


0
2. Add subpart T to read as follows:

Subpart T--Schools and Libraries Cybersecurity Pilot Program

Sec.
54.2000 Terms and definitions.
54.2001 Cap, budgets, and duration.
54.2002 Eligible recipients.
54.2003 Eligible services and equipment.
54.2004-54.2006 [Reserved]
54.2007 Discounts.
54.2008 [Reserved]
54.2009 Audits, inspections, and investigations.
54.2010 Records retention and production.
54.2011 Administrator of the Schools and Libraries Cybersecurity 
Pilot Program.
54.2012 Appeal and waiver requests.
54.2013 Children's internet Protection Act certifications.

[[Page 61311]]

Sec.  54.2000  Terms and definitions.

    Administrator. The term ``Administrator'' means the Universal 
Service Administrative Company.
    Applicant. An ``applicant'' is a school, library, or consortium of 
schools and/or libraries that applies to participate in the Schools and 
Libraries Cybersecurity Pilot Program.
    Billed entity. A ``billed entity'' is the entity that remits 
payment to service providers for services rendered to eligible schools, 
libraries, or consortia of eligible schools and libraries.
    Commission. The term ``Commission'' means the Federal 
Communications Commission (FCC).
    Connected device. The term ``connected device'' means a laptop or 
desktop computer, or a tablet.
    Consortium. A ``consortium'' is any local, Tribal, statewide, 
regional, or interstate cooperative association of schools and/or 
libraries eligible for Schools and Libraries Cybersecurity Pilot 
Program support that seeks competitive bids for eligible services or 
funding for eligible services on behalf of some or all of its members. 
A consortium may also include health care providers eligible under 
subpart G of this part, and public sector (governmental) entities, 
including, but not limited to, state colleges and state universities, 
state educational broadcasters, counties, and municipalities, although 
such entities are not eligible for support.
    Cyber incident. An occurrence that actually or potentially results 
in adverse consequences to an information system or the information 
that the system processes, stores, or transmits and that may require a 
response action to mitigate or eliminate the consequences.
    Cyber threat. A circumstance or event that has or indicates the 
potential to exploit vulnerabilities and to adversely impact 
organizational operations, organizational assets (including information 
and information systems), individuals, other organizations, or society.
    Cyberattack. An attempt to gain unauthorized access to system 
services, resources, or information, or an attempt to compromise system 
or information integrity.
    Doxing. The act of compiling or publishing personal information 
about an individual on the internet, typically with malicious intent.
    Educational purposes. For purposes of this subpart, activities that 
are integral, immediate, and proximate to the education of students, or 
in the case of libraries, integral, immediate, and proximate to the 
provision of library services to library patrons, qualify as 
``educational purposes.''
    Elementary school. An ``elementary school'' means an elementary 
school as defined in 20 U.S.C. 7801(18), a non-profit institutional day 
or residential school, including a public elementary charter school, 
that provides elementary education, as determined under state law.
    Library. A ``library'' includes:
    (1) A public library;
    (2) A public elementary school or secondary school library;
    (3) A Tribal library;
    (4) An academic library;
    (5) A research library, which for the purpose of this subpart means 
a library that:
    (i) Makes publicly available library services and materials 
suitable for scholarly research and not otherwise available to the 
public; and
    (ii) Is not an integral part of an institution of higher education; 
and
    (6) A private library, but only if the state in which such private 
library is located determines that the library should be considered a 
library for the purposes of this definition.
    Library consortium. A ``library consortium'' is any local, 
statewide, Tribal, regional, or interstate cooperative association of 
libraries that provides for the systematic and effective coordination 
of the resources of schools, and public, academic, and special 
libraries and information centers, for improving services to the 
clientele of such libraries. For the purposes of this subpart, 
references to library will also refer to library consortium.
    National School Lunch Program. The ``National School Lunch 
Program'' is a program administered by the U.S. Department of 
Agriculture and state agencies that provides free or reduced price 
lunches to economically disadvantaged children. A child whose family 
income is between 130 percent and 185 percent of applicable family size 
income levels contained in the nonfarm poverty guidelines prescribed by 
the Office of Management and Budget (OMB) is eligible for a reduced 
price lunch. A child whose family income is 130 percent or less of 
applicable family size income levels contained in the nonfarm income 
poverty guidelines prescribed by OMB is eligible for a free lunch.
    Pilot participant. A ``Pilot participant'' is an eligible school, 
library, or consortium of eligible schools and/or libraries selected to 
participate in the Schools and Libraries Cybersecurity Pilot Program.
    Pre-discount price. The ``pre-discount price'' means, in this 
subpart, the price the service provider agrees to accept as total 
payment for its eligible services and equipment. This amount is the sum 
of the amount the service provider expects to receive from the eligible 
school, library, or consortium, and the amount it expects to receive as 
reimbursement from the Schools and Libraries Cybersecurity Pilot 
Program for the discounts provided under this subpart.
    Secondary school. A ``secondary school'' means a secondary school 
as defined in 20 U.S.C. 7801(38), a non-profit institutional day or 
residential school, including a public secondary charter school, that 
provides secondary education, as determined under state law except that 
the term does not include any education beyond grade 12.
    Tribal. An entity is ``Tribal'' if it is a school operated by or 
receiving funding from the Bureau of Indian Education (BIE), or if it 
is a school or library operated by any Tribe, Band, Nation, or other 
organized group or community, including any Alaska native village, 
regional corporation, or village corporation (as defined in, or 
established pursuant to, the Alaska Native Claims Settlement Act (43 
U.S.C. 1601 et seq.) that is recognized as eligible for the special 
programs and services provided by the United States to Indians because 
of their status as Indians.


Sec.  54.2001  Cap, budgets, and duration.

    (a) Cap. The Schools and Libraries Cybersecurity Pilot Program 
shall have a cap of $200 million.
    (b) Pilot participant budgets. Each Pilot participant will be 
subject to a specific budget. Budgets are specified in terms of 
annualized dollar amounts, but participants' expenses are capped based 
on the full three-year duration of the Pilot and participants may seek 
reimbursement for more than the annual budget for any given Pilot 
Program year, so long as the total amount disbursed over the three-year 
term does not exceed three times the applicable annual budget.
    (1) Schools. At a minimum, each eligible school or school district 
will receive a pre-discount budget of $15,000 annually. Schools and 
school districts with 1,100 students or fewer will be eligible to 
receive the annual pre-discount $15,000 funding floor. For schools and 
school districts with more than 1,100 students, the annual budget is 
calculated using the pre-discount $13.60 per-student multiplier, 
subject to an annual pre-discount budget maximum of $1.5 million.
    (2) Libraries. Each eligible library will receive a pre-discount 
budget of $15,000

[[Page 61312]]

annually up to 11 libraries/sites. For library systems with more than 
11 libraries/sites, the budget will be up to $175,000 pre-discount 
annually.
    (3) Consortia. Consortia comprised of eligible schools and 
libraries will be eligible to receive funding based on student count, 
using the pre-discount $13.60 per-student multiplier and $1.5 million 
pre-discount funding caps, and the number of library sites, using the 
pre-discount $15,000 annual per-library budget and $175,000 pre-
discount funding caps. Consortia solely comprised of eligible schools 
or comprised of both eligible schools and libraries are subject to the 
pre-discount annual $1.5 million budget maximum for schools and school 
districts. Consortia solely comprised of eligible libraries will be 
subject to the pre-discount annual $175,000 budget maximum for library 
systems.
    (c) Duration. The Schools and Libraries Cybersecurity Pilot Program 
shall make funding available to applicants selected to participate in 
the Pilot for three years, to begin when the applicants selected to 
participate in the Pilot are first eligible to receive eligible 
services and equipment (i.e., from the date of the first funding 
commitment decision letter).
    (d) Rules of prioritization. If total demand for the Schools and 
Libraries Cybersecurity Pilot Program exceeds the Pilot Program cap of 
$200 million, funding will be made available as follows:
    (1) Schools and libraries eligible for a 90 percent discount shall 
receive first priority for funds, as determined by the schools and 
libraries discount matrix in Sec.  54.2007. Funding shall next be made 
available for schools and libraries eligible for an 80 percent 
discount, then for a 70 percent discount, and continuing at each 
descending discount level until there are no funds remaining.
    (2) If funding is not sufficient to support all of the funding 
requests within a particular discount level, funding will be allocated 
at that discount level using the percentage of students eligible for 
the National School Lunch Program (NSLP). Thus, if there is not enough 
support to fund all requests at the 90 percent discount level, funding 
shall be allocated beginning with those applicants with the highest 
percentage of NSLP eligibility for that discount level, and shall 
continue at each descending percentage of NSLP until there are no funds 
remaining.


Sec.  54.2002  Eligible recipients.

    (a) Schools. (1) Only schools meeting the definition of 
``elementary school'' or ``secondary school'', as defined in Sec.  
54.2000, and not excluded under paragraph (a)(2) or (3) of this 
section, shall be eligible for discounts on supported services under 
this subpart.
    (2) Schools operating as for-profit businesses shall not be 
eligible for discounts under this subpart.
    (3) Schools with endowments exceeding $50,000,000 shall not be 
eligible for discounts under this subpart.
    (b) Libraries. (1) Only libraries eligible for assistance from a 
State library administrative agency under the Library Services and 
Technology Act (20 U.S.C. 9122) and not excluded under paragraph (b)(2) 
or (3) of this section shall be eligible for discounts under this 
subpart.
    (2) Except as provided in paragraph (b)(4) of this section, a 
library's eligibility for discounts under this subpart shall depend on 
its funding as an independent entity. Only libraries whose budgets are 
completely separate from any schools (including, but not limited to, 
elementary and secondary schools, colleges, and universities) shall be 
eligible for discounts as libraries under this subpart.
    (3) Libraries operating as for-profit businesses shall not be 
eligible for discounts under this subpart.
    (4) A Tribal college or university library that serves as a public 
library by having dedicated library staff, regular hours, and a 
collection available for public use in its community shall be eligible 
for discounts under this subpart.
    (c) Consortia--(1) Consortium Leader. Each consortium seeking 
support under this subpart must identify an entity or organization that 
will lead the consortium (the ``Consortium Leader''). The Consortium 
Leader may be an eligible school or library participating in the 
consortium; a state organization; public sector governmental entity, 
including a Tribal government entity; or a non-profit entity that is 
ineligible for support under this subpart. Ineligible state 
organizations, public sector entities, or non-profit entities may serve 
as Consortium Leaders or provide consulting assistance to consortia 
only if they do not participate as potential service providers during 
the competitive bidding process. An ineligible entity that serves as 
the Consortium Leader must pass through the full value of any 
discounts, funding, or other program benefits secured to the eligible 
schools and libraries that are members of the consortium.
    (2) For consortia, discounts under this subpart shall apply only to 
the portion of eligible services and equipment used by eligible schools 
and libraries.
    (3) Service providers shall keep and retain records of rates 
charged to and discounts allowed for eligible schools and libraries on 
their own or as part of a consortium. Such records shall be available 
for public inspection.


Sec.  54.2003  Eligible services and equipment.

    (a) Supported services and equipment. All supported services and 
equipment are identified in the Schools and Libraries Cybersecurity 
Pilot Program Eligible Services List (see Sec.  54.502(a)), available 
on the FCC's website at https://www.fcc.gov/cybersecurity-pilot/cybersecurity-pilot-eligible-services-list. The services and equipment 
in this subpart will be supported in addition to all reasonable charges 
that are incurred by taking such services, such as state and Federal 
taxes. Charges for termination liability, penalty surcharges, and other 
charges not included in the cost of taking such service shall not be 
covered by universal service support.
    (b) Prohibition on resale. Eligible supported services and 
equipment shall not be sold, resold, or transferred in consideration of 
money or any other thing of value, until the conclusion of the Schools 
and Libraries Cybersecurity Pilot Program, as provided in Sec.  
54.2001.


Sec. Sec.  54.2004-54.2006  [Reserved]


Sec.  54.2007  Discounts.

    (a) Discount mechanism. Discounts for participants in the Schools 
and Libraries Cybersecurity Pilot Program shall be set as a percentage 
discount from the pre-discount price.
    (b) Discount percentages. The discounts available to participants 
in the Schools and Libraries Cybersecurity Pilot Program shall range 
from 20 percent to 90 percent of the pre-discount price for all 
eligible services provided by eligible providers. The discounts 
available shall be determined by indicators of poverty and urban/
rurality designation.
    (1) For schools and school districts, the level of poverty shall be 
based on the percentage of the student enrollment that is eligible for 
a free or reduced price lunch under the National School Lunch Program 
(NSLP) or a federally-approved alternative mechanism. School districts 
shall divide the total number of students eligible for the NSLP within 
the school district by the total number of students within the school 
district to arrive at a percentage of students eligible. This 
percentage rate shall then be applied to the discount matrix to set a 
discount rate for the supported services purchased by all schools 
within the school district. Independent charter schools, private 
schools, and other eligible educational facilities should

[[Page 61313]]

calculate a single discount percentage rate based on the total number 
of students under the control of the central administrative agency.
    (2) For libraries and library consortia, the level of poverty shall 
be based on the percentage of the student enrollment that is eligible 
for a free or reduced price lunch under the NSLP or a federally-
approved alternative mechanism in the public school district in which 
they are located and should use that school district's level of poverty 
to determine their discount rate when applying as a library system or 
as an individual library outlet within that system. When a library 
system has branches or outlets in more than one public school district, 
that library system and all library outlets within that system should 
use the address of the central outlet or main administrative office to 
determine which school district the library system is in, and should 
use that school district's level of poverty to determine its discount 
rate when applying as a library system or as one or more library 
outlets. If the library is not in a school district, then its level of 
poverty shall be based on an average of the percentage of students 
eligible for the NSLP in each of the school districts that children 
living in the library's location attend.
    (3) The Administrator shall classify schools and libraries as 
``urban'' or ``rural'' according to the following designations. The 
Administrator shall designate a school or library as ``urban'' if the 
school or library is located in an urbanized area or urban cluster area 
with a population equal to or greater than 25,000, as determined by the 
most recent rural-urban classification by the Bureau of the Census. The 
Administrator shall designate all other schools and libraries as 
``rural.''
    (4) Participants in the Schools and Libraries Cybersecurity Pilot 
Program shall calculate discounts on supported services described in 
Sec.  54.2003 that are shared by two or more of their schools, 
libraries, or consortia members by calculating an average discount 
based on the applicable district-wide discounts of all member schools 
and libraries. School districts, library systems, or other billed 
entities shall ensure that, for each year in which an eligible school 
or library is included for purposes of calculating the aggregate 
discount rate, that eligible school or library shall receive a 
proportionate share of the shared services for which support is sought. 
For schools, the discount shall be a simple average of the applicable 
district-wide percentage for all schools sharing a portion of the 
shared services. For libraries, the average discount shall be a simple 
average of the applicable discounts to which the libraries sharing a 
portion of the shared services are entitled.
    (c) Discount matrix. The Administrator shall use the following 
matrix to set the discount rate to be applied to eligible services 
purchased by participants in the Schools and Libraries Cybersecurity 
Pilot Program based on the participant's level of poverty and location 
in an ``urban'' or ``rural'' area.

                        Table 1 to Paragraph (c)
------------------------------------------------------------------------
                                               Discount level
    % of students eligible for     -------------------------------------
   national school lunch program      Urban discount     Rural discount
------------------------------------------------------------------------
<1................................                 20                 25
1-19..............................                 40                 50
20-34.............................                 50                 60
35-49.............................                 60                 70
50-74.............................                 80                 80
75-100............................                 90                 90
------------------------------------------------------------------------

    (d) Payment for the non-discount portion of supported services and 
equipment. A participant in the Schools and Libraries Cybersecurity 
Pilot Program must pay the non-discount portion of costs for the 
services or equipment purchased with universal service discounts, and 
may not receive rebates for services or equipment purchased with 
universal service discounts. For the purpose of this subpart, the 
provision, by the provider of a supported service or equipment, of free 
services or equipment unrelated to the supported service or equipment 
constitutes a rebate of the non-discount portion of the costs for the 
supported services and equipment.


Sec.  54.2008  [Reserved]


Sec.  54.2009  Audits, inspections, and investigations.

    (a) Audits. Schools and Libraries Cybersecurity Pilot Program 
participants and service providers shall be subject to audits and other 
investigations to evaluate their compliance with the statutory and 
regulatory requirements in this chapter of the Schools and Libraries 
Cybersecurity Pilot Program, including those requirements pertaining to 
what services and equipment are purchased, what services and equipment 
are delivered, and how services and equipment are being used.
    (b) Inspections and investigations. Schools and Libraries 
Cybersecurity Pilot Program participants and service providers shall 
permit any representative (including any auditor) appointed by a state 
education department, the Administrator, the Commission, its Office of 
Inspector General, or any local, state, or Federal agency with 
jurisdiction over the entity to enter their premises to conduct 
inspections for compliance with the statutory and regulatory 
requirements in this subpart of the Schools and Libraries Cybersecurity 
Pilot Program.


Sec.  54.2010  Records retention and production.

    (a) Recordkeeping requirements. All Schools and Libraries 
Cybersecurity Pilot Program participants and service providers shall 
retain all documents related to their participation in the program 
sufficient to demonstrate compliance with all program rules for at 
least ten years from the last date of service or delivery of equipment. 
All Schools and Libraries Cybersecurity Pilot Program applicants shall 
maintain asset and inventory records of services and equipment 
purchased sufficient to verify the actual location of such services and 
equipment for a period of ten years after purchase.
    (b) Production of records. All Schools and Libraries Cybersecurity 
Pilot Program participants and service providers shall produce such 
records upon request of any representative (including any auditor) 
appointed by a state education department, the Administrator, the 
Commission, its Office of Inspector General, or any local, state, or 
Federal agency with jurisdiction over the entity.

[[Page 61314]]

Sec.  54.2011  Administrator of the Schools and Libraries Cybersecurity 
Pilot Program.

    (a) The Universal Service Administrative Company is appointed the 
Administrator of the Schools and Libraries Cybersecurity Pilot Program 
and shall be responsible for administering the Schools and Libraries 
Cybersecurity Pilot Program.
    (b) The Administrator shall be responsible for reviewing 
applications for funding, recommending funding commitments, issuing 
funding commitment decision letters, reviewing invoices and 
recommending payment of funds, as well as other administration-related 
duties.
    (c) The Administrator may not make policy, interpret unclear 
provisions of statutes or rules, or interpret the intent of Congress. 
Where statutes or the Commission's rules in this subpart are unclear, 
or do not address a particular situation, the Administrator shall seek 
guidance from the Commission.
    (d) The Administrator may advocate positions before the Commission 
and its staff only on administrative matters relating to the Schools 
and Libraries Cybersecurity Pilot Program.
    (e) The Administrator shall create and maintain a website, as 
defined in Sec.  54.5, on which applications for services will be 
posted on behalf of schools and libraries.
    (f) The Administrator shall provide the Commission full access to 
the data collected pursuant to the administration of the Schools and 
Libraries Cybersecurity Pilot Program.
    (g) The Administrator shall provide performance measurements 
pertaining to the Schools and Libraries Cybersecurity Pilot Program as 
requested by the Commission by order or otherwise.
    (h) The Administrator shall have the authority to audit all 
entities reporting data to the Administrator regarding the Schools and 
Libraries Cybersecurity Pilot Program. When the Commission, the 
Administrator, or any independent auditor hired by the Commission or 
the Administrator conducts audits of the participants of the Schools 
and Libraries Cybersecurity Pilot Program, such audits shall be 
conducted in accordance with generally accepted government auditing 
standards.
    (i) The Administrator shall establish procedures to verify support 
amounts provided by the Schools and Libraries Cybersecurity Pilot 
Program and may suspend or delay support amounts if a party fails to 
provide adequate verification of the support amounts provided upon 
reasonable request from the Administrator or the Commission.
    (j) The Administrator shall make available to whomever the 
Commission directs, free of charge, any and all intellectual property, 
including, but not limited to, all records and information generated by 
or resulting from its role in administering the support mechanisms, if 
its participation in administering the Schools and Libraries 
Cybersecurity Pilot Program ends. If its participation in administering 
the Schools and Libraries Cybersecurity Pilot Program ends, the 
Administrator shall be subject to close-out audits at the end of its 
term.


Sec.  54.2012  Appeal and waiver requests.

    (a) Parties permitted to seek review of Administrator decision. (1) 
Any party aggrieved by an action taken by the Administrator must first 
seek review from the Administrator.
    (2) Any party aggrieved by an action taken by the Administrator 
under paragraph (a)(1) of this section may seek review from the 
Commission as set forth in paragraph (b) of this section.
    (3) Parties seeking waivers of the Commission's rules in this 
subpart shall seek relief directly from the Commission and need not 
first file an action for review from the Administrator under paragraph 
(a)(1) of this section.
    (b) Filing deadlines. (1) An affected party requesting review of a 
decision by the Administrator pursuant to paragraph (a)(1) of this 
section shall file such a request within thirty (30) days from the date 
the Administrator issues a decision.
    (2) An affected party requesting review by the Commission pursuant 
to paragraph (a)(2) of this section of a decision by the Administrator 
under paragraph (a)(1) of this section shall file such a request with 
the Commission within thirty (30) days from the date of the 
Administrator's decision. Further, any party seeking a waiver of the 
Commission's rules under paragraph (a)(3) of this section shall file a 
request for such waiver within thirty (30) days from the date of the 
Administrator's initial decision, or, if an appeal is filed under 
paragraph (a)(1) of this section, within thirty days from the date of 
the Administrator's decision resolving such an appeal.
    (3) Parties shall adhere to the time periods for filing oppositions 
and replies set forth in Sec.  1.45 of this chapter.
    (c) General filing requirements. (1) Except as otherwise provided 
in this section, a request for review of an Administrator decision by 
the Commission shall be filed with the Commission's Office of the 
Secretary in accordance with the general requirements set forth in part 
1 of this chapter. The request for review shall be captioned ``In the 
Matter of Request for Review by (name of party seeking review) of 
Decision of Universal Service Administrator'' and shall reference the 
applicable docket numbers.
    (2) A request for review pursuant to paragraphs (a)(1) through (3) 
of this section shall contain:
    (i) A statement setting forth the party's interest in the matter 
presented for review;
    (ii) A full statement of relevant, material facts with supporting 
affidavits and documentation;
    (iii) The question presented for review, with reference, where 
appropriate, to the relevant Commission rule, Commission order, or 
statutory provision; and;
    (iv) A statement of the relief sought and the relevant statutory or 
regulatory provision pursuant to which such relief is sought.
    (3) A copy of a request for review that is submitted to the 
Commission shall be served on the Administrator consistent with the 
requirement for service of documents set forth in Sec.  1.47 of this 
chapter.
    (4) If a request for review filed pursuant to paragraphs (a)(1) 
through (3) of this section alleges prohibitive conduct on the part of 
a third party, such request for review shall be served on the third 
party consistent with the requirement for service of documents set 
forth in Sec.  1.47 of this chapter. The third party may file a 
response to the request for review. Any response filed by the third 
party shall adhere to the time period for filing replies set forth in 
Sec.  1.45 of this chapter and the requirement for service of documents 
set forth in Sec.  1.47 of this chapter.
    (d) Review by the Wireline Competition Bureau or the Commission. 
(1) Requests for review of Administrator decisions that are submitted 
to the Commission shall be considered and acted upon by the Wireline 
Competition Bureau; provided, however, that requests for review that 
raise novel questions of fact, law, or policy shall be considered by 
the full Commission.
    (2) An affected party may seek review of a decision issued under 
delegated authority by the Wireline Competition Bureau pursuant to the 
rules set forth in part 1 of this chapter.
    (e) Standard of review. (1) The Wireline Competition Bureau shall 
conduct a de novo review of requests for review of decisions issued by 
the Administrator.
    (2) The Commission shall conduct a de novo review of requests for 
review of decisions by the Administrator that involve novel questions 
of fact, law, or policy; provided, however, that the

[[Page 61315]]

Commission shall not conduct a de novo review of decisions issued by 
the Wireline Competition Bureau under delegated authority.
    (f) Schools and Libraries Cybersecurity Pilot Program disbursements 
during pendency of a request for review and Administrator decision. 
When a party has sought review of an Administrator decision under 
paragraphs (a)(1) through (3) of this section, the Commission shall not 
process a request for the reimbursement of eligible equipment and/or 
services until a final decision has been issued either by the 
Administrator or by the Commission; provided, however, that the 
Commission may authorize disbursement of funds for any amount of 
support that is not the subject of an appeal.


Sec.  54.2013  Children's internet Protection Act certifications.

    (a) Definitions--(1) School. For the purposes of the certification 
requirements of this section, school means school, school board, school 
district, local education agency, or other authority responsible for 
administration of a school.
    (2) Library. For the purposes of the certification requirements of 
this section, library means library, library board, or authority 
responsible for administration of a library.
    (3) Billed entity. Billed entity is defined in Sec.  54.2000. In 
the case of a consortium, the billed entity is the lead member of the 
consortium.
    (b) Certifications required. A school or library that receives 
support for eligible services and equipment through the Schools and 
Libraries Cybersecurity Pilot Program must make the certifications as 
described in paragraph (c) of this section.
    (c) CIPA certifications. (1) A Schools and Libraries Cybersecurity 
Pilot Program participant need not complete additional Children's 
internet Protection Act (CIPA) (47 U.S.C. 254(h) and (l)) compliance 
certifications if the participant has already certified its CIPA 
compliance for the schools and libraries universal service support 
mechanism funding year preceding the start of the Schools and Libraries 
Cybersecurity Pilot Program (i.e., has certified its compliance in an 
FCC Form 486 or FCC Form 479).
    (2) Schools and Libraries Cybersecurity Pilot Program participants 
that have not already certified their CIPA compliance for the schools 
and libraries universal service support mechanism funding year 
preceding the start of the Schools and Libraries Cybersecurity Pilot 
Program (i.e., have not completed a FCC Form 486 or FCC Form 479), will 
be required to certify:
    (i) That they are in compliance with CIPA requirements under 47 
U.S.C. 254(h) and (l);
    (ii) That they are undertaking the actions necessary to comply with 
CIPA requirements under 47 U.S.C. 254(h) and (l) as part of their 
request for support through the Schools and Libraries Cybersecurity 
Pilot Program, and will come into compliance within one year from the 
date of the submission of its FCC Form 471; or
    (iii) That they are not required to comply with CIPA requirements 
under 47 U.S.C. 254(h) and (l) because they are purchasing services to 
be used only in conjunction with student-, school staff- or library 
patron-owned computers.
    (d) Failure to provide certifications--(1) Schools and libraries. A 
school or library that knowingly fails to submit certifications as 
required by this section shall not be eligible for support through the 
Schools and Libraries Cybersecurity Pilot Program until such 
certifications are submitted.
    (2) Consortia. A billed entity's knowing failure to collect the 
required certifications from its eligible school and library members or 
knowing failure to certify that it collected the required 
certifications shall render the entire consortium ineligible for 
support through the Schools and Libraries Cybersecurity Pilot Program.
    (3) Reestablishing eligibility. At any time, a school or library 
deemed ineligible for equipment and services under the Schools and 
Libraries Cybersecurity Pilot Program because of failure to submit 
certifications required by this section may reestablish eligibility for 
support by providing the required certifications to the Administrator 
and the Commission.
    (e) Failure to comply with the certifications--(1) Schools and 
libraries. A school or library that knowingly fails to comply with the 
certifications required by this section must reimburse any funds and 
support received under the Schools and Libraries Cybersecurity Pilot 
Program for the period in which there was noncompliance.
    (2) Consortia. In the case of consortium applications, the 
eligibility for support of consortium members who comply with the 
certification requirements of this section shall not be affected by the 
failure of other school or library consortium members to comply with 
such requirements.
    (3) Reestablishing compliance. At any time, a school or library 
deemed ineligible for support through the Schools and Libraries 
Cybersecurity Pilot Program for failure to comply with the 
certification requirements of this section and that has been directed 
to reimburse the program for support received during the period of 
noncompliance may reestablish compliance by complying with the 
certification requirements under this section. Upon submittal to the 
Commission of a certification, the school or library shall be eligible 
for support through the Schools and Libraries Cybersecurity Pilot 
Program.
    (f) Waivers based on state or local procurement rules and 
regulations and competitive bidding requirements. Waivers shall be 
granted to schools and libraries when the authority responsible for 
making the certifications required by this section cannot make the 
required certifications because its state or local procurement rules or 
regulations or competitive bidding requirements prevent the making of 
the certification otherwise required. The waiver shall be granted upon 
the provision, by the authority responsible for making the 
certifications on behalf of schools or libraries, that the schools or 
libraries will be brought into compliance with the requirements of this 
section within one year from the date the waiver was granted.


0
3. Delayed indefinitely, add Sec. Sec.  54.2004 through 54.2006 to read 
as follows:


Sec.  54.2004  Application for Pilot Program selection and reporting of 
information.

    (a) Selection window. The Wireline Competition Bureau shall 
announce the opening of the Pilot Participant Selection Application 
Window for applicants to submit a Schools and Libraries Pilot 
Participant Selection Application.
    (b) Participant announcement. The Wireline Competition Bureau shall 
announce those eligible applicants who have been selected to 
participate in the Schools and Libraries Cybersecurity Pilot Program 
following the close of the Pilot Participant Selection Application 
Window.
    (c) Filing the FCC Form 484 to be considered for selection in the 
Pilot Program. (1) Schools, libraries, or consortia of eligible schools 
and libraries to be considered for participation in the Schools and 
Libraries Cybersecurity Pilot Program shall submit the first part of an 
FCC Form 484 to the Administrator, via a portal established by the 
Administrator, that contains, at a minimum, the following information:
    (i) Name, entity number, FCC registration number, employer 
identification number, addresses, and

[[Page 61316]]

telephone number for each school, library, and consortium member that 
will participate in the proposed Pilot project, including the identity 
of the lead site for any proposals involving a consortium.
    (ii) Contact information for the individual(s) who will be 
responsible for the management and operation of the proposed Pilot 
project, including name, title or position, telephone number, mailing 
address, and email address.
    (iii) Applicant number(s) and entity type(s), including Tribal 
information, if applicable, and current E-Rate participation status and 
discount percentage, if applicable.
    (iv) A broad description of the proposed Pilot project, including a 
description of the applicant's goals and objectives for the proposed 
Pilot project, a description of how Pilot funding will be used for the 
proposed project, and the cybersecurity risks the proposed Pilot 
project will prevent or address.
    (v) The cybersecurity equipment and services the applicant plans to 
request as part of its proposed project, the ability of the project to 
be self-sustaining once established, and whether the applicant has a 
cybersecurity officer or other senior-level staff member designated to 
be the cybersecurity officer for its Pilot project.
    (vi) Whether the applicant has previous experience implementing 
cybersecurity protections or measures, how many years of prior 
experience the applicant has, whether the applicant has experienced a 
cybersecurity incident within a year of the date of its application, 
and information about the applicant's participation or planned 
participation in cybersecurity collaboration and/or information-sharing 
groups.
    (vii) Whether the applicant has implemented, or begun implementing, 
any U.S. Department of Education (Education Department) or 
Cybersecurity and Infrastructure Security Agency (CISA) best practices 
recommendations, a description of any Education Department or CISA free 
or low-cost cybersecurity resources that an applicant currently 
utilizes or plans to utilize, or an explanation of what is preventing 
an applicant from utilizing these available resources.
    (viii) An estimate of the total costs for the proposed Pilot 
project, information about how the applicant will cover the non-
discount share of costs for the Pilot-eligible services, and 
information about other cybersecurity funding the applicant receives, 
or expects to receive, from other Federal, state, local, or Tribal 
programs or sources.
    (ix) Whether any of the ineligible services and equipment the 
applicant will purchase with its own resources to support the eligible 
cybersecurity equipment and services it plans to purchase with Pilot 
funding will have any ancillary capabilities that will allow it to 
capture data on cybersecurity threats and attacks, any free or low-cost 
cybersecurity resources that the applicant will require service 
providers to include in their bids, and whether the applicant will 
require its selected service provider(s) to capture and measure cost-
effectiveness and cyber awareness/readiness data.
    (x) A description of the applicant's proposed metrics for the Pilot 
project, how they align with the applicant's cybersecurity goals, how 
those metrics will be collected, and whether the applicant is prepared 
to share and report its cybersecurity metrics as part of the Pilot 
Program.
    (2) The first part of the FCC Form 484 shall be signed by a person 
authorized to submit the application to participate in the Schools and 
Libraries Cybersecurity Pilot Program on behalf of the eligible school, 
library, or consortium including such entities. The person authorized 
to submit the first part of the FCC Form 484 application on behalf of 
the entities listed on an FCC Form 484 shall also certify under oath 
that:
    (i) ``I am authorized to submit this application on behalf of the 
above-named applicant and that based on information known to me or 
provided to me by employees responsible for the data being submitted, I 
hereby certify that the data set forth in this form has been examined 
and is true, accurate, and complete. I acknowledge that any false 
statement on this application or on any other documents submitted by 
this applicant can be punished by fine or forfeiture under the 
Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment 
under Title 18 of the United States Code (18 U.S.C. 1001), or can lead 
to liability under the False Claims Act (31 U.S.C. 3729-3733).''
    (ii) ``In addition to the foregoing, this applicant is in 
compliance with the rules and orders governing the Schools and 
Libraries Cybersecurity Pilot Program, and I acknowledge that failure 
to be in compliance and remain in compliance with those rules and 
orders may result in the denial of funding, cancellation of funding 
commitments, and/or recoupment of past disbursements. I acknowledge 
that failure to comply with the rules and orders governing the Schools 
and Libraries Cybersecurity Pilot Program could result in civil or 
criminal prosecution by law enforcement authorities.''
    (iii) ``By signing this application, I certify that the information 
contained in this form is true, complete, and accurate, and the 
projected expenditures, disbursements, and cash receipts are for the 
purposes and objectives set forth in the terms and conditions of the 
Federal award. I am aware that any false, fictitious, or fraudulent 
information, or the omission of any material fact, may subject me to 
criminal, civil, or administrative penalties for fraud, false 
statements, false claims, or otherwise. (U.S. Code Title 18, Sec. Sec.  
1001, 286-287, and 1341, and Title 31, Sec. Sec.  3729-3730 and 3801-
3812).''
    (iv) The applicant recognizes that it may be audited pursuant to 
its application, that it will retain for ten years any and all records 
related to its application, and that, if audited, it shall produce such 
records at the request of any representative (including any auditor) 
appointed by a state education department, the Administrator, the 
Commission and its Office of Inspector General, or any local, state, or 
Federal agency with jurisdiction over the entity.
    (v) ``I certify and acknowledge, under penalty of perjury, that if 
selected, the schools, libraries, and consortia in the application will 
comply with all applicable Schools and Libraries Cybersecurity Pilot 
Program rules, requirements, and procedures, including the competitive 
bidding rules and the requirement to pay the required share of the 
costs for the supported items from eligible sources.''
    (vi) ``I certify under penalty of perjury, to the best of my 
knowledge, that the schools, libraries, and consortia listed in the 
application are not already receiving or expecting to receive other 
funding (from any source, federal, state, Tribal, local, private, or 
other) that will pay for the same equipment and/or services, or the 
same portion of the equipment and/or services, for which I am seeking 
funding under the Schools and Libraries Cybersecurity Pilot Program.''
    (vii) ``I certify under penalty of perjury, to the best of my 
knowledge, that all requested equipment and services funded by the 
Schools and Libraries Cybersecurity Pilot Program will be used for 
their intended purposes.''
    (d) Filing the FCC Form 484 once selected to be in the Pilot 
Program. (1) Schools, libraries, or consortia of eligible schools and 
libraries selected for participation in the Schools and Libraries 
Cybersecurity Pilot Program shall submit to the Administrator, via a

[[Page 61317]]

portal established by the Administrator, a second part to the FCC Form 
484 that contains, at a minimum, the following information, as 
applicable:
    (i) Information about correcting known security flaws and 
conducting routine backups, developing and exercising a cyber incident 
response plan, and any cybersecurity changes or advancements the 
participant plans to make outside of the Pilot-funded services and 
equipment.
    (ii) A description of the participant's current cybersecurity 
posture, including how the school or library is currently managing and 
addressing its current cybersecurity risks through prevention and 
mitigation tactics.
    (iii) Information about a participant's planned use(s) for other 
Federal, state, or local cybersecurity funding (i.e., funding obtained 
outside of the Pilot).
    (iv) Information about a participant's history of cybersecurity 
threats and attacks within a year of the date of its application; the 
date range of the incident, a description of the unauthorized access; a 
description of the impact to the school or library, a description of 
the vulnerabilities exploited and the techniques used to access the 
system, and identifying information for each actor responsible for the 
incident, if known.
    (v) A description of the specific U.S. Department of Education or 
Cybersecurity and Infrastructure Security Agency best practices 
recommendations that the participant has implemented or begun to 
implement.
    (vi) Information about a participant's current cybersecurity 
training policies and procedures, such as the frequency with which a 
participant trains its school and library staff and, separately, 
information about student cyber training sessions, and participation 
rates.
    (vii) Information about any non-monetary or other challenges a 
participant may be facing in developing a more robust cybersecurity 
posture.
    (2) The second part of the FCC Form 484 shall be signed by a person 
authorized to submit the second part as a participant in the Schools 
and Libraries Cybersecurity Pilot Program on behalf of the eligible 
school, library, or consortium including such entities. The person 
authorized to submit the second part of the FCC Form 484 application on 
behalf of the Pilot participants listed on an FCC Form 484 shall also 
certify under oath that:
    (i) ``I am authorized to submit this application on behalf of the 
above-named participant and that based on information known to me or 
provided to me by employees responsible for the data being submitted, I 
hereby certify that the data set forth in this form has been examined 
and is true, accurate, and complete. I acknowledge that any false 
statement on this application or on other documents submitted by this 
participant can be punished by fine or forfeiture under the 
Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment 
under Title 18 of the United States Code (18 U.S.C. 1001), or can lead 
to liability under the False Claims Act (31 U.S.C. 3729-3733).''
    (ii) ``In addition to the foregoing, this participant is in 
compliance with the rules and orders governing the Schools and 
Libraries Cybersecurity Pilot Program, and I acknowledge that failure 
to be in compliance and remain in compliance with those rules and 
orders may result in the denial of funding, cancellation of funding 
commitments, and/or recoupment of past disbursements. I acknowledge 
that failure to comply with the rules and orders governing the Schools 
and Libraries Cybersecurity Pilot Program could result in civil or 
criminal prosecution by law enforcement authorities.''
    (iii) ``By signing this application, I certify that the information 
contained in this form is true, complete, and accurate, and the 
projected expenditures, disbursements, and cash receipts are for the 
purposes and objectives set forth in the terms and conditions of the 
Federal award. I am aware that any false, fictitious, or fraudulent 
information, or the omission of any material fact, may subject me to 
criminal, civil, or administrative penalties for fraud, false 
statements, false claims, or otherwise. (U.S. Code Title 18, Sec. Sec.  
1001, 286-287, and 1341, and Title 31, Sec. Sec.  3729-3730 and 3801-
3812).''
    (iv) The participant recognizes that it may be audited pursuant to 
its application, that it will retain for ten years any and all records 
related to its application, and that, if audited, it shall produce such 
records at the request of any representative (including any auditor) 
appointed by a state education department, the Administrator, the 
Commission and its Office of Inspector General, or any local, state, or 
Federal agency with jurisdiction over the entity.
    (v) ``I certify and acknowledge, under penalty of perjury, that if 
selected, the schools, libraries, and consortia in the application will 
comply with all applicable Schools and Libraries Cybersecurity Pilot 
Program rules, requirements, and procedures, including the competitive 
bidding rules and the requirement to pay the required share of the 
costs for the supported items from eligible sources.''
    (vi) ``I certify under penalty of perjury, to the best of my 
knowledge, that the schools, libraries, and consortia listed in the 
application are not already receiving or expecting to receive other 
funding (from any source, federal, state, Tribal, local, private, or 
other) that will pay for the same equipment and/or services, or the 
same portion of the equipment and/or services, for which I am seeking 
funding under the Schools and Libraries Cybersecurity Pilot Program.''
    (vii) ``I certify under penalty of perjury, to the best of my 
knowledge, that all requested equipment and services funded by the 
Schools and Libraries Cybersecurity Pilot Program will be used for 
their intended purposes.''
    (3) In order for a school, library, or consortia of eligible 
schools and libraries selected for participation in the Schools and 
Libraries Cybersecurity Pilot Program to retain its status as a Pilot 
participant and receive Pilot Program support, it will be required to 
submit the information required by the second part of the FCC Form 484 
in the form specified by the Wireline Competition Bureau.
    (4) The Wireline Competition Bureau may waive, reduce, modify, or 
eliminate from the second part of the FCC Form 484, information 
requirements that prove unnecessary for the sound and efficient 
administration of the Pilot.
    (5) Failure to submit the information required by the second part 
of the FCC Form 484 may result in removal as a participant in the Pilot 
Program and/or a referral to the Enforcement Bureau.
    (e) Data reporting requirements for participants. (1) In order for 
a Pilot participant to receive and continue receiving Pilot Program 
support and retain its status as a Pilot participant, it will be 
required to submit initial and annual reports, followed by a final 
report at the completion of the program with the information and in the 
form specified by the Wireline Competition Bureau.
    (2) Prior to the start of the Pilot Program, the Wireline 
Competition Bureau shall announce the timing and form of the initial, 
annual, and final reports that Pilot participants must submit.
    (3) The Wireline Competition Bureau may waive, reduce, modify, or 
eliminate Pilot participant reporting requirements that prove 
unnecessary and require additional reporting requirements that the 
Bureau deems necessary to the sound and efficient administration of the 
Pilot.

[[Page 61318]]

    (4) Failure to submit initial, annual, and final reports may result 
in a referral to the Enforcement Bureau, a hold on future 
disbursements, recission of committed funds, and/or recovery of 
disbursed funds.


Sec.  54.2005   Competitive bidding requirements.

    (a) Fair and open competitive bidding process. All participants in 
the Schools and Libraries Cybersecurity Pilot Program must conduct a 
fair and open competitive bidding process, consistent with all 
requirements set forth in this subpart.
    Note to Paragraph (a): The following is an illustrative list of 
activities or behaviors that would not result in a fair and open 
competitive bidding process: the participant seeking supported services 
has a relationship with a service provider that would unfairly 
influence the outcome of a competition or would furnish the service 
provider with inside information; someone other than the participant or 
an authorized representative of the participant prepares, signs, and 
submits the FCC Form 470 and certification; a service provider 
representative is listed as the FCC Form 470 contact person and the 
participant allows that service provider to participate in the 
competitive bidding process; the service provider prepares the 
participant's FCC Form 470 or participates in the bid evaluation or 
vendor selection process in any way; the participant turns over to a 
service provider the responsibility for ensuring a fair and open 
competitive bidding process; a participant employee with a role in the 
service provider selection process also has an ownership interest in 
the service provider seeking to participate in the competitive bidding 
process; and the participant's FCC Form 470 does not describe the 
supported services with sufficient specificity to enable interested 
service providers to submit responsive bids.
    (b) Competitive bid requirements. All participants in the Schools 
and Libraries Cybersecurity Pilot Program shall seek competitive bids, 
pursuant to the requirements established in this subpart, for all 
services and equipment eligible for support under Sec.  54.2003, except 
as provided in paragraph (f) of this section. These competitive bidding 
requirements apply in addition to any applicable state, Tribal, and 
local competitive bidding requirements and are not intended to preempt 
such state, Tribal, or local requirements.
    (c) Posting of FCC Form 470. (1) Participants in the Schools and 
Libraries Cybersecurity Pilot Program shall submit a completed FCC Form 
470 to the Administrator to initiate the competitive bidding process. 
The FCC Form 470 shall include, at a minimum, the following 
information:
    (i) A list of specified services and/or equipment for which the 
school, library, or consortium requests bids; and
    (ii) Sufficient information to enable bidders to reasonably 
determine the needs of the applicant.
    (2) The FCC Form 470 shall be signed by a person authorized to 
request bids for eligible services and equipment for the eligible 
school, library, or consortium, including such entities, and shall 
include that person's certification under penalty of perjury that:
    (i) ``I am authorized to submit this application on behalf of the 
above-named participant in the Schools and Libraries Cybersecurity 
Pilot Program and that based on information known to me or provided to 
me by employees responsible for the data being submitted, I hereby 
certify that the data set forth in this form has been examined and is 
true, accurate, and complete. I acknowledge that any false statement on 
this application or on other documents submitted by this participant 
can be punished by fine or forfeiture under the Communications Act (47 
U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the 
United States Code (18 U.S.C. 1001), or can lead to liability under the 
False Claims Act (31 U.S.C. 3729-3733).''
    (ii) ``In addition to the foregoing, this participant is in 
compliance with the rules and orders governing the Schools and 
Libraries Cybersecurity Pilot Program, and I acknowledge that failure 
to be in compliance and remain in compliance with those rules and 
orders may result in the denial of funding, cancellation of funding 
commitments, and/or recoupment of past disbursements. I acknowledge 
that failure to comply with the rules and orders governing the Schools 
and Libraries Cybersecurity Pilot Program could result in civil or 
criminal prosecution by law enforcement authorities.''
    (iii) ``By signing this application, I certify that the information 
contained in this form is true, complete, and accurate. I am aware that 
any false, fictitious, or fraudulent information, or the omission of 
any material fact, may subject me to criminal, civil, or administrative 
penalties for fraud, false statements, false claims, or otherwise. 
(U.S. Code Title 18, Sec. Sec.  1001, 286-287, and 1341, and Title 31, 
Sec. Sec.  3729-3730 and 3801-3812).''
    (iv) The schools meet the definition of ``elementary school'' or 
``secondary school'', as defined in Sec.  54.2000, do not operate as 
for-profit businesses, and do not have endowments exceeding 
$50,000,000.
    (v) Libraries or library consortia eligible for assistance from a 
State library administrative agency under the Library Services and 
Technology Act of 1996 do not operate as for-profit businesses and, 
except for the limited case of Tribal college or university libraries, 
have budgets that are completely separate from any school (including, 
but not limited to, elementary and secondary schools, colleges, and 
universities).
    (vi) The services and/or equipment that the school, library, or 
consortium purchases at discounts will not be sold, resold, or 
transferred in consideration for money or any other thing of value, 
except as allowed by Sec.  54.2003(b).
    (vii) The school(s) and/or library(ies) listed on this FCC Form 470 
will not accept anything of value, other than services and equipment 
sought by means of this form, from the service provider, or any 
representatives or agent thereof, or any consultant in connection with 
this request for services.
    (viii) All bids submitted for eligible equipment and services will 
be carefully considered, with price being the primary factor, and the 
bid selected will be for the most cost-effective service offering 
consistent with paragraph (e) of this section.
    (ix) The school, library, or consortium acknowledges that support 
under the Schools and Libraries Cybersecurity Pilot Program is 
conditional upon the school(s) and/or library(ies) securing access, 
separately or through this program, to all of the resources necessary 
to effectively use the requested equipment and services. The school, 
library, or consortium recognizes that some of the aforementioned 
resources are not eligible for support and certifies that it has 
considered what financial resources should be available to cover these 
costs.
    (x) ``I will retain required documents for a period of at least 10 
years (or whatever retention period is required by the rules in effect 
at the time of this certification) after the later of the last day of 
the applicable Pilot Program year or the service delivery deadline for 
the associated funding request. I also certify that I will retain all 
documents necessary to demonstrate compliance with the statute (47 
U.S.C. 254) and Commission rules regarding the form for, receipt of, 
and delivery of equipment and services receiving Schools and Libraries 
Cybersecurity Pilot Program discounts. I acknowledge that I may be 
audited pursuant to participation in the Pilot Program.''

[[Page 61319]]

    (xi) ``I certify that the equipment and services that the 
participant purchases at discounts will be used primarily for 
educational purposes and will not be sold, resold, or transferred in 
consideration for money or any other thing of value, except as 
permitted by the Commission's rules at 47 CFR 54.2003(b). Additionally, 
I certify that the entity or entities listed on this form will not 
accept anything of value or a promise of anything of value, other than 
services and equipment sought by means of this form, from the service 
provider, or any representative or agent thereof, or any consultant in 
connection with this request for services.''
    (xii) ``I acknowledge that support under this Pilot Program is 
conditional upon the school(s) and/or library(ies) I represent securing 
access, separately or through this program, to all of the resources 
necessary to effectively use the requested equipment and services. I 
recognize that some of the aforementioned resources are not eligible 
for support. I certify that I have considered what financial resources 
should be available to cover these costs.''
    (xiii) ``I certify that I have reviewed all applicable Commission, 
state, Tribal, and local procurement/competitive bidding requirements 
and that the participant will comply with all applicable 
requirements.''
    (3) The Administrator shall post each FCC Form 470 that it receives 
from a participant in the Schools and Libraries Cybersecurity Pilot 
Program on its website designated for this purpose.
    (4) After posting on the Administrator's website an FCC Form 470, 
the Administrator shall send confirmation of the posting to the 
participant requesting services and/or equipment. The participant shall 
then wait at least 28 days from the date on which its description of 
services and/or equipment is posted on the Administrator's website 
before making any commitments with the selected providers of services 
and/or equipment. The confirmation from the Administrator shall include 
the date after which the participant may sign a contract with its 
chosen provider(s).
    (d) Gift restrictions. (1) Subject to paragraphs (d)(3) and (4) of 
this section, a participant in the Schools and Libraries Cybersecurity 
Pilot Program may not directly or indirectly solicit or accept any 
gift, gratuity, favor, entertainment, loan, or any other thing of value 
from a service provider participating in or seeking to participate in 
the Schools and Libraries Cybersecurity Pilot Program. No such service 
provider shall offer or provide any such gift, gratuity, favor, 
entertainment, loan, or other thing of value except as otherwise 
provided in this paragraph (d). Modest refreshments not offered as part 
of a meal, items with little intrinsic value intended solely for 
presentation, and items worth $20 or less, including meals, may be 
offered or provided, and accepted by any individuals or entities 
subject to this subpart, if the value of these items received by any 
individual does not exceed $50 from any one service provider per year. 
The $50 amount for any service provider shall be calculated as the 
aggregate value of all gifts provided during a year by the individuals 
specified in paragraph (d)(2)(ii) of this section.
    (2) For purposes of this paragraph (d):
    (i) The term ``participant in the Schools and Libraries 
Cybersecurity Pilot Program'' includes all individuals who are on the 
governing boards of such entities (such as members of a school 
committee), and all employees, officers, representatives, agents, 
consultants, or independent contractors of such entities involved on 
behalf of such school, library, or consortium with the Schools and 
Libraries Cybersecurity Pilot Program, including individuals who 
prepare, approve, sign, or submit applications, or other forms related 
to the Schools and Libraries Cybersecurity Pilot Program, or who 
prepare bids, communicate, or work with Schools and Libraries 
Cybersecurity Pilot Program service providers, Schools and Libraries 
Cybersecurity Pilot Program consultants, or with the Administrator, as 
well as any staff of such entities responsible for monitoring 
compliance with the Schools and Libraries Cybersecurity Pilot Program; 
and
    (ii) The term ``service provider'' includes all individuals who are 
on the governing boards of such an entity (such as members of the board 
of directors), and all employees, officers, representatives, agents, 
consultants, or independent contractors of such entities.
    (3) The restrictions set forth in this paragraph (d) shall not be 
applicable to the provision of any gift, gratuity, favor, 
entertainment, loan, or any other thing of value, to the extent given 
to a family member or a friend working for an eligible school, library, 
or consortium that includes an eligible school or library, provided 
that such transactions:
    (i) Are motivated solely by a personal relationship;
    (ii) Are not rooted in any service provider business activities or 
any other business relationship with any such participant in the 
Schools and Libraries Cybersecurity Pilot Program; and
    (iii) Are provided using only the donor's personal funds that will 
not be reimbursed through any employment or business relationship.
    (4) Any service provider may make charitable donations to a 
participant in the Schools and Libraries Cybersecurity Pilot Program in 
the support of its programs as long as such contributions are not 
directly or indirectly related to Schools and Libraries Cybersecurity 
Pilot Program procurement activities or decisions and are not given by 
service providers to circumvent competitive bidding and other Schools 
and Libraries Cybersecurity Pilot Program rules in this subpart.
    (e) Selecting a provider of eligible services and/or equipment. In 
selecting a provider of eligible services and equipment, participants 
in the Schools and Libraries Cybersecurity Pilot Program shall 
carefully consider all bids submitted and must select the most cost-
effective service and equipment offerings. In determining which service 
and equipment offering is the most cost-effective, entities may 
consider relevant factors other than the pre-discount prices submitted 
by providers, but price must be the primary factor considered.
    (f) Exemption to competitive bidding requirements. Participants in 
the Schools and Libraries Cybersecurity Pilot Program are not required 
to file an FCC Form 470 when seeking support for services and equipment 
purchased from Master Service Agreements negotiated by Federal, state, 
Tribal, or local governmental entities on behalf of such Pilot 
participants, if such Master Service Agreements were awarded pursuant 
to the E-Rate program FCC Form 470 process, as well as applicable 
Federal, state, Tribal, or local competitive bidding requirements.


Sec.  54.2006   Requests for funding.

    (a) Filing of the FCC Form 471. (1) A participant in the Schools 
and Libraries Cybersecurity Pilot Program shall, upon entering into a 
signed contract or other legally binding agreement for eligible 
services and/or equipment, submit a completed FCC Form 471 to the 
Administrator.
    (2) The FCC Form 471 shall be signed by the person authorized to 
order eligible services or equipment for the participant in the Schools 
and Libraries Cybersecurity Pilot Program and shall include that 
person's certification under penalty of perjury that:
    (i) ``I am authorized to submit this application on behalf of the 
above-named participant and that based on information known to me or 
provided to me by employees responsible for the data being submitted, I 
hereby certify

[[Page 61320]]

that the data set forth in this application has been examined and is 
true, accurate, and complete. I acknowledge that any false statement on 
this application or on any other documents submitted by this 
participant can be punished by fine or forfeiture under the 
Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment 
under Title 18 of the United States Code (18 U.S.C. 1001), or can lead 
to liability under the False Claims Act (31 U.S.C. 3729-3733).''
    (ii) ``In addition to the foregoing, this participant is in 
compliance with the rules and orders governing the Schools and 
Libraries Cybersecurity Pilot Program, and I acknowledge that failure 
to be in compliance and remain in compliance with those rules and 
orders may result in the denial of funding, cancellation of funding 
commitments, and/or recoupment of past disbursements. I acknowledge 
that failure to comply with the rules and orders governing the Schools 
and Libraries Cybersecurity Pilot Program could result in civil or 
criminal prosecution by law enforcement authorities.''
    (iii) ``By signing this application, I certify that the information 
contained in this application is true, complete, and accurate, and the 
projected expenditures, disbursements, and cash receipts are for the 
purposes and objectives set forth in the terms and conditions of the 
Federal award. I am aware that any false, fictitious, or fraudulent 
information, or the omission of any material fact, may subject me to 
criminal, civil, or administrative penalties for fraud, false 
statements, false claims, or otherwise. (U.S. Code Title 18, Sec. Sec.  
1001, 286-287, and 1341, and Title 31, Sec. Sec.  3729-3730 and 3801-
3812).''
    (iv) The school meets the definition of ``elementary school'' or 
``secondary school'', as defined in Sec.  54.2000, does not operate as 
a for-profit business, and does not have endowments exceeding 
$50,000,000.
    (v) The library or library consortia is eligible for assistance 
from a State library administrative agency under the Library Services 
and Technology Act, does not operate as a for-profit business and, 
except for the limited case of Tribal college and university libraries, 
have budgets that are completely separate from any school (including, 
but not limited to, elementary and secondary schools, colleges, and 
universities).
    (vi) The school, library, or consortium listed on the FCC Form 471 
application will pay the non-discount portion of the costs of the 
eligible services and/or equipment to the service provider(s).
    (vii) The school, library, or consortium listed on the FCC Form 471 
application has conducted a fair and open competitive bidding process 
and has complied with all applicable state, Tribal, or local laws 
regarding procurement of the equipment and services for which support 
is being sought.
    (viii) An FCC Form 470 was posted and that any related request for 
proposals (RFP) was made available for at least 28 days before 
considering all bids received and selecting a service provider. The 
school, library, or consortium listed on the FCC Form 471 application 
carefully considered all bids submitted and selected the most-cost-
effective bid for services and equipment in accordance with Sec.  
54.2005(e), with price being the primary factor considered.
    (ix) The school, library, or consortium listed on the FCC Form 471 
application is only seeking support for eligible services and/or 
equipment.
    (x) The school, library, or consortia is not seeking Schools and 
Libraries Cybersecurity Pilot Program support or reimbursement for the 
portion of eligible services and/or equipment that have been purchased 
and reimbursed in full or in part with other Federal, state, Tribal, or 
local funding, or are eligible for discounts from the schools and 
libraries universal service support mechanism or another universal 
service support mechanism.
    (xi) The services and equipment the school, library, or consortium 
purchases using Schools and Libraries Cybersecurity Pilot Program 
support will be used primarily for educational purposes and will not be 
sold, resold, or transferred in consideration for money or any other 
thing of value, except as allowed by Sec.  54.2003(b).
    (xii) The school, library, or consortium will create and maintain 
an equipment and service inventory as required by Sec.  54.2010(a).
    (xiii) The school, library, or consortium has complied with all 
program rules in this chapter and acknowledges that failure to do so 
may result in denial of funding and/or recovery of funding.
    (xiv) The school, library, or consortium acknowledges that it may 
be audited pursuant to its application, that it will retain for ten 
years any and all records related to its application, and that, if 
audited, it shall produce such records at the request of any 
representative (including any auditor) appointed by a state education 
department, the Administrator, the Commission and its Office of 
Inspector General, or any local, state, or Federal agency with 
jurisdiction over the entity.
    (xv) No kickbacks, as defined in 41 U.S.C. 8701, were paid to or 
received by the participant, including, but not limited to, their 
employees, officers, representatives, agents, independent contractors, 
consultants, family members, and individuals who are on the governing 
boards, from anyone in connection with the Schools and Libraries 
Cybersecurity Pilot Program or the schools and libraries universal 
service support mechanism.
    (xvi) The school, library, or consortium acknowledges that 
Commission rules in this chapter provide that persons who have been 
convicted of criminal violations or held civilly liable for certain 
acts arising from their participation in the universal service support 
mechanisms are subject to suspension and debarment from the program. 
The school, library, or consortium will institute reasonable measures 
to be informed, and will notify the Administrator should it be informed 
or become aware that any of the entities listed on this application, or 
any person associated in any way with this entity and/or the entities 
listed on this application, is convicted of a criminal violation or 
held civilly liable for acts arising from their participation in the 
universal service support mechanisms.
    (b) Service or equipment substitution. (1) A request by a Schools 
and Libraries Cybersecurity Pilot Program participant to substitute a 
service or piece of equipment for one identified in its FCC Form 471 
must be in writing and certified under penalty of perjury by an 
authorized person.
    (2) The Administrator shall approve such written request where:
    (i) The service or equipment has the same functionality;
    (ii) The substitution does not violate any contract provisions or 
state, Tribal, or local procurement laws; and
    (iii) The Schools and Libraries Cybersecurity Pilot Program 
participant certifies that the requested change is within the scope of 
the controlling FCC Form 470.
    (3) In the event that a service or equipment substitution results 
in a change in the pre-discount price for the supported service or 
equipment, support shall be based on the lower of either the pre-
discount price of the service or equipment for which support was 
originally requested or the pre-discount price of the new, substituted 
service or equipment after the Administrator has approved a written 
request for the substitution.
    (c) Mixed eligibility services and equipment. A request for 
discounts for

[[Page 61321]]

services or equipment that includes both eligible and ineligible 
components must remove the cost of the ineligible components of the 
service or equipment from the request for funding submitted to the 
Administrator.
    (d) Application filing window. The Wireline Competition Bureau will 
announce the opening of the Pilot Participant Selection Application 
Window for participants to submit FCC Form 471 applications. The filing 
period shall begin and conclude on dates to the determined by the 
Wireline Competition Bureau. The Wireline Competition Bureau may 
implement additional filing periods as it deems necessary.
0
4. Delayed indefinitely, add Sec.  54.2008 to read as follows:


Sec.  54.2008   Requests for reimbursement.

    (a) Submission of request for reimbursement (FCC Form 472 or FCC 
Form 474). Consistent with the invoicing selection made by the Pilot 
participant, reimbursement for the costs associated with eligible 
services and equipment shall be provided directly to the participant, 
or its service provider(s), seeking reimbursement from the Schools and 
Libraries Cybersecurity Pilot Program upon submission and approval of a 
completed FCC Form 472 (Billed Entity Applicant Reimbursement Form) or 
a completed FCC Form 474 (Service Provider Invoice) to the 
Administrator.
    (1) The FCC Form 472 shall be signed by the person authorized to 
submit requests for reimbursement for the eligible school, library, or 
consortium and shall include that person's certification under penalty 
of perjury that:
    (i) ``I am authorized to submit this request for reimbursement on 
behalf of the above-named school, library, or consortium and that based 
on information known to me or provided to me by employees responsible 
for the data being submitted, I hereby certify that the data set forth 
in this request for reimbursement has been examined and is true, 
accurate, and complete. I acknowledge that any false statement on this 
request for reimbursement or on other documents submitted by this 
school, library, or consortium can be punished by fine or forfeiture 
under the Communications Act (47 U.S.C. 502, 503(b)), or fine or 
imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), 
or can lead to liability under the False Claims Act (31 U.S.C. 3729-
3733).''
    (ii) ``In addition to the foregoing, the school, library, or 
consortium is in compliance with the rules and orders governing the 
Schools and Libraries Cybersecurity Pilot Program, and I acknowledge 
that failure to be in compliance and remain in compliance with those 
rules and orders may result in the denial of funding, cancellation of 
funding commitments, and/or recoupment of past disbursements. I 
acknowledge that failure to comply with the rules and orders governing 
the Schools and Libraries Cybersecurity Pilot Program could result in 
civil or criminal prosecution by law enforcement authorities.''
    (iii) ``By signing this request for reimbursement, I certify that 
the information contained in this request for reimbursement is true, 
complete, and accurate, and the expenditures, disbursements, and cash 
receipts are for the purposes and objectives set forth in the terms and 
conditions of the federal award. I am aware that any false, fictitious, 
or fraudulent information, or the omission of any material fact, may 
subject me to criminal, civil, or administrative penalties for fraud, 
false statements, false claims, or otherwise. (U.S. Code Title 18, 
sections Sec. Sec.  1001, 286-287, and 1341, and Title 31, Sec. Sec.  
3729-3730 and 3801-3812).''
    (iv) The funds sought in the request for reimbursement are for 
eligible services and/or equipment that were purchased in accordance 
with the Schools and Libraries Cybersecurity Pilot Program rules and 
requirements in this subpart and received by the school, library, or 
consortium. The equipment and/or services being requested for 
reimbursement were determined to be eligible and approved by the 
Administrator.
    (v) The non-discounted share of costs amount(s) were billed by the 
Service Provider and paid in full by the Billed Entity Applicant on 
behalf of the eligible schools, libraries, and consortia of those 
entities.
    (vi) The school, library, or consortium is not seeking Schools and 
Libraries Cybersecurity Pilot Program reimbursement for the portion of 
eligible services and/or equipment that have been purchased and 
reimbursed in full or in part with other Federal, state, Tribal, or 
local funding or are eligible for discounts from the schools and 
libraries universal service support mechanism or other universal 
service support mechanisms.
    (vii) The school, library, or consortium acknowledges that it must 
submit invoices detailing the items purchased and received along with 
the submission of its request for reimbursement as required by 
paragraph (b) of this section.
    (viii) The equipment and/or services the school, library, or 
consortium purchased will not be sold, resold, or transferred in 
consideration for money or any other thing of value, except as allowed 
by Sec.  54.2003(b).
    (ix) The school, library, or consortium acknowledges that it may be 
subject to an audit, inspection, or investigation pursuant to its 
request for reimbursement, that it will retain for ten years any and 
all records related to its request for reimbursement, and will make 
such records and equipment purchased with Schools and Libraries 
Cybersecurity Pilot Program reimbursement available at the request of 
any representative (including any auditor) appointed by a state 
education department, the Administrator, the Commission and its Office 
of Inspector General, or any local, state, or Federal agency with 
jurisdiction over the entity.
    (x) No kickbacks, as defined in 41 U.S.C. 8701, were paid to or 
received by the participant, including, but not limited to, their 
employees, officers, representatives, agents, independent contractors, 
consultants, family members, and individuals who are on the governing 
boards, from anyone in connection with the Schools and Libraries 
Cybersecurity Pilot Program or the schools and libraries universal 
service support mechanism.
    (xi) The school, library, or consortium acknowledges that 
Commission rules provide that persons who have been convicted of 
criminal violations or held civilly liable for certain acts arising 
from their participation in the universal service support mechanisms 
are subject to suspension and debarment from the program. The school, 
library, or consortium will institute reasonable measures to be 
informed, and will notify the Administrator should it be informed or 
become aware that any of the entities listed on this application, or 
any person associated in any way with this entity and/or the entities 
listed on this application, is convicted of a criminal violation or 
held civilly liable for acts arising from their participation in the 
universal service support mechanisms.
    (xii) No universal service support has been or will be used to 
purchase, obtain, maintain, improve, modify, or otherwise support any 
equipment or services produced or provided by any company designated by 
the Commission as posing a national security threat to the integrity of 
communications networks or the communications supply chain since the 
effective date of the designations.
    (xiii) No Federal subsidy made available through a program 
administered by the Commission that provides funds to be used for the 
capital expenditures necessary for the provision of advanced 
communications services

[[Page 61322]]

has been or will be used to purchase, rent, lease, or otherwise obtain, 
any covered communications equipment or service, or maintain, any 
covered communications equipment or service, or maintain any covered 
communications equipment or service previously purchased, rented, 
leased, or otherwise obtained, as required by Sec.  54.10.
    (2) The FCC Form 474 shall be signed by the person authorized to 
submit requests for reimbursement for the service provider and shall 
include that person's certification under penalty of perjury that:
    (i) ``I am authorized to submit this request for reimbursement on 
behalf of the above-named Service Provider and that based on 
information known to me or provided to me by employees responsible for 
the data being submitted, I hereby certify that the data set forth in 
this request for reimbursement has been examined and is true, accurate, 
and complete. I acknowledge that any false statement on this request 
for reimbursement or on other documents submitted by this Service 
Provider can be punished by fine or forfeiture under the Communications 
Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of 
the United States Code (18 U.S.C. 1001), or can lead to liability under 
the False Claims Act (31 U.S.C. 3729-3733).''
    (ii) ``In addition to the foregoing, the Service Provider is in 
compliance with the rules and orders governing the Schools and 
Libraries Cybersecurity Pilot Program, and I acknowledge that failure 
to be in compliance and remain in compliance with those rules and 
orders may result in the denial of funding, cancellation of funding 
commitments, and/or recoupment of past disbursements. I acknowledge 
that failure to comply with the rules and orders governing the Schools 
and Libraries Cybersecurity Pilot Program could result in civil or 
criminal prosecution by law enforcement authorities.''
    (iii) ``By signing this request for reimbursement, I certify that 
the information contained in this request for reimbursement is true, 
complete, and accurate, and the expenditures, disbursements, and cash 
receipts are for the purposes and objectives set forth in the terms and 
conditions of the federal award. I am aware that any false, fictitious, 
or fraudulent information, or the omission of any material fact, may 
subject me to criminal, civil, or administrative penalties for fraud, 
false statements, false claims, or otherwise. (U.S. Code Title 18, 
Sec. Sec.  1001, 286-287, and 1341, and Title 31, Sec. Sec.  3729-3730 
and 3801-3812).''
    (iv) The funds sought in the request for reimbursement are for 
eligible services and/or equipment that were purchased in accordance 
with the Schools and Libraries Cybersecurity Pilot Program rules and 
requirements in this subpart and received by the school, library, or 
consortium.
    (v) The Service Provider is not seeking Schools and Libraries 
Cybersecurity Pilot Program reimbursement for eligible equipment and/or 
services for which the Service Provider has already been paid.
    (vi) The Service Provider certifies that the school's, library's, 
or consortium's non-discount portion of costs for the eligible 
equipment and services has not been waived, paid, or promised to be 
paid by this Service Provider. The Service Provider acknowledges that 
the provision of a supported service or free services or equipment 
unrelated to the supported equipment or services constitutes a rebate 
of the non-discount portion of the costs as stated in Sec.  54.2007(d).
    (vii) The Service Provider acknowledges that it must submit 
invoices detailing the items purchased and provided to the school, 
library, or consortium, along with the submission of its request for 
reimbursement as required by paragraph (b) of this section.
    (viii) The Service Provider certifies that it is compliant with the 
Commission's rules and orders regarding gifts and this Service Provider 
has not directly or indirectly offered or provided any gifts, 
gratuities, favors, entertainment, loans, or any other thing of value 
to any eligible school, library, or consortium, except as provided for 
in this subpart.
    (ix) The Service Provider acknowledges that it may be subject to an 
audit, inspection, or investigation pursuant to its request for 
reimbursement, that it will retain for ten years any and all records 
related to its request for reimbursement, and will make such records 
and equipment purchased with Schools and Libraries Cybersecurity Pilot 
Program reimbursement available at the request of any representative 
(including any auditor) appointed by a state education department, the 
Administrator, the Commission and its Office of Inspector General, or 
any local, state, or Federal agency with jurisdiction over the entity.
    (x) No kickbacks, as defined in 41 U.S.C. 8701, were paid by the 
Service Provider to anyone in connection with the Schools and Libraries 
Cybersecurity Pilot Program or the schools and libraries universal 
service support mechanism.
    (xi) The Service Provider is not debarred or suspended from any 
Federal programs, including the universal service support mechanisms.
    (xii) No universal service support has been or will be used to 
purchase, obtain, maintain, improve, modify, or otherwise support any 
equipment or services produced or provided by any company designated by 
the Commission as posing a national security threat to the integrity of 
communications networks or the communications supply chain since the 
effective date of the designations.
    (xiii) No Federal subsidy made available through a program 
administered by the Commission that provides funds to be used for the 
capital expenditures necessary for the provision of advanced 
communications services has been or will be used to purchase, rent, 
lease, or otherwise obtain, any covered communications equipment or 
service, or maintain any covered communications equipment or service, 
or maintain any covered communications equipment or service previously 
purchased, rented, leased, or otherwise obtained, as required by Sec.  
54.10.
    (b) Required documentation. Along with the submission of a 
completed FCC Form 472 or FCC Form 474, a participant or service 
provider seeking reimbursement from the Schools and Libraries 
Cybersecurity Pilot Program must submit invoices detailing the items 
purchased and received to the Administrator at the time the FCC Form 
472 or FCC Form 474 is submitted.
    (c) Reimbursement and invoice processing. The Administrator shall 
accept and review requests for reimbursement and invoices subject to 
the invoice filing deadlines provided in paragraph (d) of this section.
    (d) Invoice filing deadline. Invoices must be submitted to the 
Administrator within ninety (90) days after the last date to receive 
service, in accordance with Sec.  54.2001(c).
    (e) Invoice deadline extensions. In advance of the deadline 
calculated pursuant to paragraph (d) of this section, billed entities 
or service providers may request a one-time extension of the invoice 
filing deadline. The Administrator shall grant a ninety (90) day 
extension of the invoice filing deadline, if the request is timely 
filed.
    (f) Choice of payment method. Service providers providing 
discounted services under this subpart shall, prior to the submission 
of the FCC Form 471, permit the Schools and Libraries Cybersecurity 
Pilot Program participant to choose the method of payment for the 
discounted

[[Page 61323]]

services from those methods offered by the Administrator, including 
making a full undiscounted payment and receiving subsequent 
reimbursement of the discount amount from the Administrator.

[FR Doc. 2024-15866 Filed 7-29-24; 8:45 am]
BILLING CODE 6712-01-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.