Federal Communications Commission FCC 23-92 Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C. 20554 In the Matter of Schools and Libraries Cybersecurity Pilot Program ) ) ) ) WC Docket No. 23-234 NOTICE OF PROPOSED RULEMAKING Adopted: November 8, 2023 Released: November 13, 2023 Comment Date: (30 days after publication in the Federal Register) Reply Comment Date: (60 days after publication in the Federal Register) By the Commission: Chairwoman Rosenworcel issuing a statement. TABLE OF CONTENTS I. INTRODUCTION 1 II. BACKGROUND 5 III. DISCUSSION 18 A. Goals and Data Reporting 19 B. Structure of the Pilot Program 25 C. Eligibility and Selection of Pilot Participants 34 D. Eligible Services and Equipment/Security Measures 39 E. Applicability and Adoption of E-Rate Rules, Forms, and Processes 47 F. Legal Authority 52 G. Promoting Digital Equity and Inclusion 65 IV. PROCEDURAL MATTERS 66 V. ORDERING CLAUSES 74 APPENDIX A – PROPOSED RULES APPENDIX B – INITIAL REGULATORY FLEXIBILITY ANALYSIS I. INTRODUCTION 1. Broadband connectivity and Internet access are increasingly important for K-12 students and adults alike. Whether for online learning, job searching, or connecting with peers and the community, high-speed broadband is critical to educational and personal success in the modern world. However, although broadband connectivity and Internet access can simplify and enhance the daily lives of K-12 students, school staff, and library patrons, they can also be used by malicious actors to steal personal information, compromise online accounts, and cause online personal harm or embarrassment. Similarly, while advances in online technology benefit K-12 schools and libraries by expanding teaching and education beyond the physical confines of a school or library building, and permitting students and library patrons to complete online homework assignments, conduct online research, and learn the computer skills necessary to secure a job in the future, K-12 schools and libraries increasingly find themselves targets for attackers who would disrupt their ability to educate, illegally obtain sensitive student, school staff, and library patron data, and hold their broadband networks hostage to extract ransom payments. Given the growing importance of broadband connectivity and Internet access for K-12 schools and libraries, the Federal Communications Commission (Commission) proposes a three-year pilot program within the Universal Service Fund (USF or Fund) to provide up to $200 million available to support cybersecurity and advanced firewall The term “advanced firewall services” refers to services that are not currently eligible for E-Rate support and is used throughout this Notice as distinct from the “basic firewall services” that are currently eligible for support in the program. See infra para. 12; see also Federal-State Joint Board on Universal Service, CC Docket No. 96-45, Report and Order, 12 FCC Rcd 8776, 9008-15, paras. 436-49 (1997) (Universal Service First Report and Order); 47 U.S.C. § 254(h)(2)(A). services for eligible schools and libraries. 2. Specifically, in this Notice of Proposed Rulemaking (Notice), we propose the creation of a Schools and Libraries Cybersecurity Pilot Program (Pilot or Pilot program) that would allow us to obtain valuable data concerning the cybersecurity and advanced firewall services that would best help K-12 schools and libraries address the growing cyber threats and attacks against their broadband networks and data, while also helping us to better understand the most effective way USF support could be used to help schools and libraries address these significant concerns while promoting the E-Rate program’s longstanding goal of promoting basic connectivity. It is clear that the E-Rate program The E-Rate program is formally known as the schools and libraries universal service support mechanism. alone cannot fully address the K-12 schools’ and libraries’ cyber concerns and protect their broadband networks and data from cyber threats and attacks. See CISA, Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats at 12-18 (2023), https://www.cisa.gov/sites/default/files/2023-01/K-12report_FINAL_V2_508c_0.pdf (discussing the importance of recognizing and actively addressing things like insufficient IT resources and cybersecurity capacity restraints, and focusing on collaboration and resource sharing) (CISA K-12 Cybersecurity Report); GAO, Critical Infrastructure Protection Additional Federal Coordination is Needed to Enhance K-12 Cybersecurity at 25-27 (2022), https://www.gao.gov/assets/gao-23-105480.pdf (discussing the various non-monetary cybersecurity challenges faced by K-12 schools and school districts, including inadequate staffing, difficulty maintaining hardware and software upgrades, lack of end-user education on cyber threats, low prioritization by school district leaders, and inadequate cyber policies and procedures) (GAO K-12 Cybersecurity Report). As proposed, the Pilot seeks to learn more about which cybersecurity and advanced firewall services will have the greatest impact in helping K-12 schools and libraries protect their broadband networks and data, while also ensuring that limited USF funds are being utilized in an effective manner. For example, we expect that this Pilot will necessarily need to ensure that participating K-12 schools and libraries fully leverage the free and low-cost K-12 cybersecurity resources provided by our federal partners, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), See CISA K-12 Cybersecurity Report at 22, Appendix 1: K-12 Resource Repository (providing free and low-cost resources for each recommendation in the Report); CISA, Free Cybersecurity Services and Tools, https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools (last visited Nov. 9, 2023); CISA, Partnering to Safeguard K-12 Organizations from Cybersecurity Threats Online Toolkit (2023), https://www.cisa.gov/online-toolkit-partnering-safeguard-k-12-organizations-cybersecurity-threats (aligning the three recommendations from the Report with key actions, and related trainings and resources, to help K-12 schools and school districts create and implement robust cybersecurity programs) (CISA Online Toolkit). and the U.S. Department of Education (DOE), See infra for a discussion of three recently released DOE K-12 Digital Infrastructure Briefs that provide information about free and low-cost cybersecurity resources. to complement the Pilot’s work and make the most effective use of Pilot program funding. See, e.g., U.S. Department of Education, Office of Educational Technology, Cybersecurity Resources for K-12 Districts and Higher Education Institutions https://tech.ed.gov/cyberhelp/ (last visited Nov. 9, 2023) (providing cybersecurity resources aimed at parents, students, and K-12 educational organizations); see also National Institute of Standards and Technology, National Initiative for Cybersecurity Education (NICE), Free and Low Cost Cybersecurity Learning Content, https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content (last visited Nov. 9, 2023) (providing list of free cybersecurity learning materials and products); National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity (2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (outlining a cybersecurity risk framework for use by owners and operators of critical infrastructure); GSMA, Mobile Learning Policy Handbook at 28-31 (2014), https://www.gsma.com/iot/wp-content/uploads/2014/07/mLearning_handbook_26_06_14.pdf (discussing safety, security, and privacy for student mobile devices). 3. As discussed further below, we propose that the program operate as a new Pilot within the USF, which would provide funding to eligible K-12 schools and libraries to defray the qualifying costs of receiving the cybersecurity and advanced firewall services needed to protect their E-Rate-funded broadband networks and data from the growing number of K-12 school- and library-focused cyber events. See, e.g., GAO K-12 Cybersecurity Report at 9, 12 (explaining that by October 2022, schools in most states had reported cyberattacks on their systems and the reported number of ransomware incidents involving K-12 schools increased significantly in August and September of 2020). Additionally, we seek comment on the applicability of the Children’s Internet Protection Act (CIPA) to the Pilot program and USF-funded cybersecurity and advanced firewall services for schools and libraries. 4. We expect this Pilot program will benefit K-12 schools and libraries that are responding to a wide breadth of cyber threats and attacks that impact their ability to protect their broadband networks and data. Data gathered from the Pilot program will help us understand whether and how USF funds could be used to help address the K-12 school and library cybersecurity challenges, and the data and information collected through this Pilot program may also aid in the consideration of broader reforms across the government—including potential statutory changes—to help schools and libraries address the significant K-12 school and library cybersecurity concerns. In proposing this Pilot, the Commission is mindful of the E-Rate program’s longstanding goal of promoting basic connectivity, the Commission’s obligation to be a careful and prudent steward of the limited universal service funding, and the need to balance its actions in this proceeding against competing priorities, bearing in mind that this funding is obtained though assessments collected from telecommunications carriers that are typically passed on to and paid for by U.S. consumers. II. BACKGROUND 5. The ongoing proliferation of innovative digital learning technologies, and the need to connect students, teachers, and library patrons to information, jobs, and life-long learning have led to a steady rise in the demand for bandwidth in schools and libraries. FCC, E-Rate: Universal Service Program for Schools and Libraries (Sept. 15, 2021), https://www.fcc.gov/consumers/guides/universal-service-program-schools-and-libraries-e-rate. Thus, in recent years, the Commission has refocused the E-Rate program from supporting legacy telecommunications services to supporting broadband services, with a goal to significantly expand Wi-Fi and broadband access to millions of students and library patrons across the nation. See FCC, Universal Service Program for Schools and Libraries (E-Rate) (Jan. 13, 2015), https://www.fcc.gov/general/universal-service-program-schools-and-libraries-e-rate (discussing the modernization of the E-Rate program to transition to focus on broadband connectivity and providing links to the FCC’s modernization orders). But the shift to modern connectivity is not without its challenges. Computers, laptops, tablets, and other devices that connect to the Internet or are capable of storing and sharing sensitive data are often targets of hackers that use spyware, malware, and other programs to gain unauthorized access to data, track web usage and financial transactions, and steal passwords and other personally identifiable information (PII) through the devices. FCC, Tips for Secure Web Navigation and Transactions (Mar. 11, 2020), https://www.fcc.gov/consumers/guides/secure-web-navigation-and-transactions. 6. K-12 schools and libraries are not immune to these broadband challenges or from becoming targets of cyberattacks. In fact, the targeting of K-12 schools and libraries by malicious actors came to the fore in 2020, when the COVID-19 pandemic “escalated cybersecurity issues within the education industry.” Rachael Altman, Cybersecurity Concerns Escalate in the Education Industry (Nov. 2, 2021), https://www.g2.com/articles/cybersecurity-concerns-in-the-education-industry (reporting an 18% increase in cyberattacks from 2019 to 2020). See also CISA, Cyber Threats to K-12 Remote Learning Education (December 2020), https://www.cisa.gov/sites/default/files/publications/Cyber_Threats_to_K-12_Remote_Learning_Fact_Sheet_15_Dec_508_0.pdf (“Malicious cyber actors are targeting school computer systems, slowing access, and rendering the systems inaccessible to basic functions, including remote learning. In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.”); CISA, Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data (Dec. 10, 2020), https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-345a (“The FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments.”). Recent information shows that schools and libraries are vulnerable to increased cyber threats and attacks, often leading to the disruption of school and library operations, loss of learning, reductions in available bandwidth, significant monetary losses, and the leaking and theft of students’, school staff members’, and library patrons’ personal information and confidential data. See CISA, Cyber Threats to K-12 Remote Learning Education, https://www.cisa.gov/stopransomware/cyber-threats-k-12-remote-learning-education (last visited Nov. 9, 2023) (discussing the rise in cyber threats and cyberattacks against K-12 educational entities and describing some of the more onerous actions employed by malicious actors); GAO, As Cyberattacks Increase on K-12 Schools, Here Is What’s Being Done (Dec. 1, 2022), https://www.gao.gov/blog/cyberattacks-increase-k-12-schools-here-whats-being-done (noting that the scale and number of cyberattacks against K-12 educational entities increased during COVID-19 and providing examples of how schools are being attacked); K12 SIX, The K-12 Cyber Incident Map, https://www.k12six.org/map (last visited Nov. 9, 2023) (categorizing the 1,619 cyberattacks that occurred between 2016 and 2022 by type of attack using an interactive map); Career Charge, Top 5 K-12 Cybersecurity Threats Schools are Facing (Jan. 17, 2023), https://corporatetraining.usf.edu/blog/top-5-k-12-cybersecurity-threats-schools-are-facing (explaining that according to the 2019 State of Malware report, education is consistently among the top 10 industries targeted by attackers because schools are data-rich environments, lack IT funding for their infrastructure, provide few cybersecurity professional development opportunities for school staff, and are comprised of students who are tech savvy but lack good cyber hygiene practices); Center for Internet Service, New MS-ISAC Report Details Cybersecurity Challenges of K-12 Schools (Nov. 14, 2022), https://www.prnewswire.com/news-releases/new-ms-isac-report-details-cybersecurity-challenges-of-k-12-schools-301675262.html (stating that 29% of K-12 MS-ISAC member organizations reported being victims of a cyber incident in the 2021-2022 school year ); Will Caverly, Ransomware Attacks at Libraries: How They Happen, What to Do (May 10, 2021), https://publiclibrariesonline.org/2021/05/ransomware-attacks-at-libraries-how-they-happen-what-to-do/ (describing a ransomware attack at the Northampton Public Library that resulted in a two-week closure while the library’s IT firm sorted out the malware problems); Kevin Regan, Cyber Risks No Longer Science-Fiction for Libraries (July 19, 2021), https://www.insurancejournal.com/magazines/mag-features/2021/07/19/623028.htm (explaining that the names and addresses stored by libraries may be all attackers need to invade patrons’ privacy, and pose a threat to their finances and identity); Pierluigi Paganini, Boston Public Library Discloses Cyberattack (Aug. 30, 2021), https://securityaffairs.com/121632/cyber-crime/boston-public-library-cyberattack.html (disclosing a cyberattack that crippled the computer network of the Boston Public Library). According to CISA, malicious actors have even “disrupted live-conferenced classroom settings by verbally harassing students, displaying pornography and violent images, and doxing meeting attendees.” See CISA, Cyber Threats to K-12 Remote Learning Education (Dec. 2020), https://www.cisa.gov/sites/default/files/publications/Cyber_Threats_to_K-12_Remote_Learning_Fact_Sheet_15_Dec_508_0.pdf (listing “doxing” as a common cybersecurity concern and explaining that it is “[t]he act of compiling or publishing personal information about an individual on the internet, typically with malicious intent”). Predictions are that K-12 schools and libraries will continue to be prime targets for malicious actors, primarily because they are data-rich environments that tend to lag behind in terms of their available resources and cybersecurity program maturity. Center for Internet Security, New MS-ISAC Report Details the Cybersecurity Challenges of K-12 Schools (Nov. 14, 2022), https://www.prnewswire.com/news-releases/new-ms-isac-report-details-cybersecurity-challenges-of-k-12-schools-301675262.html (predicting that “cyber threat actors are highly likely to target K-12 school districts in the remainder of the 2022-2023 school year”); Will Caverly, Ransomware Attacks at Libraries: How They Happen, What to Do (May 10, 2021), https://publiclibrariesonline.org/2021/05/ransomware-attacks-at-libraries-how-they-happen-what-to-do/ (noting that “malicious hacking attacks of institutions are on the rise, particularly after the onset of the COVID-19 pandemic” and “[c]orporations, including nonprofits like public libraries, face greater dangers from these attacks”). 7. Cybersecurity Act of 2021, and Actions by Federal Partners to Address K-12 Cybersecurity Concerns. Recognizing that K-12 schools across the nation faced increased cyber threats and attacks that threaten their networks and have the potential to provide unauthorized access to sensitive student and school staff information—e.g., grades, medical records, and PII—in October 2021, the President signed into law the K-12 Cybersecurity Act of 2021. K-12 Cybersecurity Act, 2021, H.R. 17-122, Pub. L. No. 117-47, 117th Cong., (2021) (enacted), available at https://www.govinfo.gov/content/pkg/BILLS-117s1917enr/pdf/BILLS-117s1917enr.pdf. The Act instructed the Director of CISA to: (1) conduct a study to analyze how certain cybersecurity risks specifically impacted K-12 educational institutions; (2) evaluate the cybersecurity challenges K-12 educational institutions faced when implementing cybersecurity protocols and securing information systems and data; (3) identify cybersecurity challenges related to remote learning; and (4) evaluate the most accessible ways to communicate cybersecurity recommendations and tools. Id. at § 3(b)(A)-(D). 8. In January 2023, CISA published its report detailing the results of its study and providing three recommendations to help K-12 entities address the cybersecurity risks targeting the K-12 school community. See generally Press Release, CISA, CISA Releases Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats (Jan. 24, 2023), https://www.cisa.gov/news-events/alerts/2023/01/24/cisa-releases-protecting-our-future-partnering-safeguard-k-12; CISA K-12 Cybersecurity Report. Specifically, CISA recommended that K-12 school entities: (1) invest in the most impactful security measures, like multi-factor authentication (MFA), patch management, minimizing exposure to common attacks, and building toward a mature cybersecurity plan; CISA K-12 Cybersecurity Report at 1, 3, 12-14. More specifically, the Report recommended that “[i]n an environment of limited resources, [K-12] leaders should leverage security investments to focus on the most impactful steps. K-12 entities should begin with a small number of prioritized investments: deploying multi-factor authentication (MFA), mitigating known exploited vulnerabilities, implementing and testing backups, regularly exercising an incident response plan, and implementing a strong cybersecurity training program. K-12 entities should then progress to fully adopting CISA’s Cybersecurity Performance Goals (CPGs) and mature to building an enterprise cybersecurity plan aligned around the NIST Cybersecurity Framework (CSF).” CISA K-12 Cybersecurity Report at 3. (2) recognize and actively address resource constraints Id. at 3, 12, 16-17. More specifically, the Report recommended that “[c]ybersecurity risk management . . . be elevated as a top priority for administrators, superintendents, and other leaders at every K-12 institution. [K-12] [l]eaders must take creative approaches to securing necessary resources, including leveraging available grant programs, working with technology providers to benefit from low-cost services and products that are secure by design and default, and urgently reducing the security burden by migrating to secure cloud environments and trusted managed services.” CISA K-12 Cybersecurity Report at 3. by, for example, leveraging federal, state, and local grant programs, See id. at 16 (discussing the State and Local Cybersecurity Grant Program (SLCGP) managed by CISA and the Federal Emergency Management Agency (FEMA), which will provide grants totaling one billion dollars over four years, and the Homeland Security Grant Program (HSGP), which dedicates 7.5% of funds to support critical infrastructure cybersecurity). utilizing free or low-cost services, To this end, CISA has published a free Cybersecurity Services and Tools catalog that K-12 organizations can use to identify free public and private resources to help them reduce their cybersecurity risk. K-12 organizations can access the catalog, which is regularly updated, at https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools; see also CISA K-12 Cybersecurity Report at 17. and requiring technology providers to enable strong security controls at no additional charge; See id. at 17 (stating that “k-12 organizations should expect the technology used for core educational functions, like learning management and student administrative systems, to have strong security controls enabled by default for no additional charge”). For example, CISA encourages K-12 organizations to require that phishing-resistant MFA be enabled for all administrator accounts, at a minimum, for no additional charge. Id. and (3) focus on collaboration and information-sharing by joining groups like the Multi-State Information Sharing and Analysis Center (MS-ISAC) Per the U.S. Government Accountability Office, “MS-ISAC is an independent, nonprofit organization that DHS designated in 2010 as the cybersecurity ISAC for state, local, tribal, and territorial governments. It provides services and information sharing to enhance state, local, tribal, and territorial governments’ ability to prevent, protect against, respond to, and recover from cyberattacks and compromises.” GAO K-12 Cybersecurity Report at 8, n.19. and K-12 Security Information Exchange (K12 SIX), Per the U.S. Government Accountability Office, “K12 SIX is a national nonprofit information-sharing organization that assists its members from the K-12 community in protecting from cybersecurity threats.” GAO K-12 Cybersecurity Report at 2, n.7. and building long-term relationships with CISA and the Federal Bureau of Investigation (FBI) regional security personnel. Id. at 3, 12, 18. More specifically, the GAO report recommended “[i]nformation sharing and collaboration with peers and partners . . . to build awareness and sustain resilience. K-12 entities should participate in an information sharing forum such as the Multi-State Information Sharing and Analysis Center (MS-ISAC) and/or K12 Security Information eXchange (K12 SIX) and establish a relationship with CISA and FBI field personnel.” GAO K-12 Cybersecurity Report at 3. In its report, CISA also committed to working with technology providers to encourage the provision of free or low-cost security tools, CISA K-12 Cybersecurity Report at 5. and collaborating with federal partners—including the DOE—to identify areas for cybersecurity progress and provide meaningful support to measurably reduce K-12 cybersecurity risks. CISA K-12 Cybersecurity Report at 2, 19. Contemporaneously with the report, CISA also released an online toolkit that delved further into the three recommendations, linking each recommendation with key actions and related free or low-cost tools and resources to help K-12 school entities take actions to immediately reduce their cybersecurity risks. See generally CISA, Online Toolkit: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats, https://www.cisa.gov/online-toolkit-partnering-safeguard-k-12-organizations-cybersecurity-threats (last visited Nov. 9, 2023) (organizing the toolkit by recommendation, with each recommendation containing a description, applicable actions, and additional resources). CISA derived the toolkit from its broader list of cybersecurity performance goals. Id. 9. While CISA’s work was underway, the U.S. Government Accountability Office (GAO) was asked “to (1) determine what is known about the cost impact of cyber incidents on school districts and (2) determine the extent to which key federal agencies coordinate with other federal and nonfederal entities to help K-12 schools combat cyber threats.” See GAO K-12 Cybersecurity Report at 36. In October 2022, GAO published its report finding that additional federal coordination was needed to enhance K-12 school cybersecurity posture. See generally GAO K-12 Cybersecurity Report. Specifically, the GAO recommended that the Secretary of Education: (1) establish a collaborative mechanism, such as a government coordinating council, to coordinate cybersecurity efforts between federal agencies and with the K-12 school community; (2) develop metrics to obtain feedback to measure the effectiveness of its cybersecurity products and services for school districts; and (3) coordinate with CISA to determine how best to help school districts overcome the identified challenges and consider the identified opportunities for addressing cyber threats, as appropriate. GAO K-12 Cybersecurity Report at 32. The GAO further recommended that the Secretary of Homeland Security ensure that the Director of CISA develop metrics to measure the effectiveness of CISA’s K-12 cybersecurity-related products and services available to school districts and determine the extent to which CISA meets the needs of state and local-level school districts to combat cybersecurity threats. Id. Although GAO staff interviewed Commission staff during this engagement, the GAO did not include any specific recommendations directed to the Commission. See GAO K-12 Cybersecurity Report (directing no recommendations to the FCC). 10. Most recently, the DOE released three K-12 Digital Infrastructure Briefs, See U.S. Department of Education, Office of Educational Technology, K-12 Digital Infrastructure Brief: Adequate and Future Proof (2023), https://tech.ed.gov/files/2023/08/FINAL_Adequate_FutureProof.pdf (DOE Adequate and Future Proof Brief); U.S. Department of Education, Office of Educational Technology, K-12 Digital Infrastructure Brief: Privacy Enhancing, Interoperable, and Useful (2023), https://tech.ed.gov/files/2023/08/FINAL_Privacy_Interop_Useful.pdf (DOE Privacy Enhancing Brief). See also Press Release, U.S. Department of Education, U.S. Department of Education Announces Key K-12 Cybersecurity Resilience Efforts (Aug. 7, 2023), https://www.ed.gov/news/press-releases/department-of-education-announces-k-12-cybersecurity-resilience-efforts. one of which it co-authored with CISA, See U.S. Department of Education, Office of Educational Technology & CISA, K-12 Digital Infrastructure Brief: Defensible and Resilient (2023), https://tech.ed.gov/files/2023/08/DOEd-Report_20230804_-508c.pdf (DOE & CISA Defensible and Resilient Brief). to provide K-12 school districts across the country with a starting place to understand the importance of securing their digital infrastructure and the immediate steps they can take to keep their networks and systems safe from cyber threats. Each Brief contains key cybersecurity considerations to help schools and educational leaders build upon and sustain core digital infrastructure for learning. For example, the DOE’s and CISA’s joint K-12 Digital Infrastructure Brief: Defensible and Resilient provides a range of key cybersecurity considerations, Id. at 7-9 (discussing the key considerations of continuous risk management, employing analogies for understanding and addressing cybersecurity challenges, prioritizing and mitigating the greatest cybersecurity threats, preparing to respond to and recover from a cyber incident, and recognizing that vendors have a key role to play in cybersecurity). and builds off of the National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CSF), See National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, version 1.1 (Apr. 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf. as well as CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) “to help [school] districts strategically approach cybersecurity risks and build a more defensible and resilient digital infrastructure.” Id. at 10-21 (discussing the interplay between the CISA CPGs and the five core functions of NIST 1.1 (identify, protect, detect, respond, and recover)). The DOE’s K-12 Digital Infrastructure Brief: Adequate and Future Proof focuses on ensuring that schools’ key digital infrastructure can evolve to meet constantly shifting technology demands, See generally DOE Adequate and Future Proof Brief. including a brief discussion of the role artificial intelligence (AI) may play in the future of teaching and learning. Id. at 11-12. The DOE’s K-12 Digital Infrastructure Brief: Privacy Enhancing, Interoperable, and Useful provides tips for ensuring data privacy, complying with federal and state privacy laws, promoting data equity, and making data systems interoperable and useful to improve school decision-making and student outcomes. See generally DOE Privacy Enhancing Brief. It also contains links for technical assistance and student privacy resources, Id. at 14. including a link to a Data Breach Scenario that provides a simulated response to a district-level data breach and focuses on the tools and skills necessary to respond to the breach. Id. All three briefs were released in advance of the White House’s Back to School Safely: Cybersecurity Summit for K-12 Schools, which was held on August 7, 2023. See Press Release, the White House, Biden-Harris Administration Launches New Efforts to Strengthen America’s K-12 Schools’ Cybersecurity (Aug. 7, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/07/biden-harris-administration-launches-new-efforts-to-strengthen-americas-k-12-schools-cybersecurity/. 11. The E-Rate Program. The E-Rate program was authorized by Congress as part of the Telecommunications Act of 1996 (the Telecommunications Act), and created by the Commission in 1997 to bring connectivity to and within schools and libraries. Telecommunications Act of 1996, Pub. L. No. 104-104, 110 Stat. 56 (codified at 47 U.S.C. § 151 et seq). Through the E-Rate program, eligible schools, libraries, and consortia (comprised of eligible schools and libraries) may request universal service discounts for eligible services and/or equipment (collectively, eligible services), including telecommunications services, Internet access, and internal connections. 47 U.S.C. §§ 254(c)(1), (c)(3), (h)(1)(B), (h)(2)(A). Congress charged the Commission with establishing competitively neutral rules to enhance access to advanced telecommunications and information services for all public and nonprofit elementary and secondary school classrooms and libraries, and also provided the Commission with the authority to designate “special” or “additional” services eligible for universal service support for schools and libraries. 47 U.S.C. §§ 254(c)(3), (h)(2)(A). The Commission has authority to designate services eligible for E-Rate support as part of its authority to enhance, to the extent technically feasible and economically reasonable, access to advanced telecommunications and information services for all public and nonprofit elementary and secondary classrooms and libraries. Universal Service First Report and Order, 12 FCC Rcd at 9008-15, paras. 436-49; see also 47 U.S.C. § 254(h)(2)(A). This authority reflects recognition by Congress that technology needs are constantly evolving in light of “advances in telecommunications and information technologies and services.” 47 U.S.C. § 254(c)(1). Specifically, with respect to schools and libraries, sections 254(c)(1), (c)(3), (h)(1)(B), and (h)(2) of the Communications Act of 1934, as amended (Communications Act) grant the Commission authority to specify the services that will be supported using universal service funds and to design the specific mechanisms for support. 47 U.S.C. §§ 254(c)(1), (c)(3), (h)(1)(B), (h)(2). 12. Currently, the E-Rate program funds basic firewall service In the E-Rate program, “firewall” is currently defined as “a hardware and software combination that sits at the boundary between an organization’s network and the outside world, and protects the network against unauthorized access or intrusions.” USAC, Schools and Libraries (E-Rate) Program Eligible Services List (ESL) Glossary, https://www.usac.org/wp-content/uploads/e-rate/documents/ESL-Glossary.pdf (last visited Nov. 9, 2023). provided as part of the vendor’s Internet service as a category one service. See, e.g., Modernizing the E-Rate Program for Schools and Libraries, WC Docket No. 13-184, Order, DA 21-1602, 2021 WL 6063032, at *7, *9 (WCB Dec. 17, 2021) (FY 2022 ESL Order and ESL). Category one services include services and equipment needed to support broadband connectivity to schools and libraries. In addition, the E-Rate program funds separately-priced basic firewalls and services as a category two service subject to the applicants’ five-year category two budget. See, e.g., id. at *7, *9. Category two services include services and equipment needed to support broadband connectivity within schools and libraries.  Based on funding year (FY) 2022 data, the E-Rate program funded over $230 million category one requests for data transmission and Internet access services that included basic firewall services and over $16 million for category two requests that were for basic firewall services and components. See Letter from Tom Nesbitt, Director of Program Management, E-Rate/ECF, USAC, to Trent B. Harkrader, Chief, Wireline Competition Bureau, FCC, WC Docket No. 13-184 (filed July 11, 2023), https://www.fcc.gov/ecfs/document/10711526918691/1. The Commission has previously declined to fund advanced firewall services or to extend basic firewall services to include anti-virus and anti-spam software, intrusion protection and prevention devices that monitor, detect, and deter threats to a network from external and internal attacks, and other services to protect networks, and removed virtual private networks (VPN) and other data protection services from the E-Rate eligible services list. See, e.g., Schools and Libraries Universal Support Mechanism, A National Broadband Plan for Our Future, CC Docket No. 02-6, GN Docket No. 09-51, Sixth Report and Order, 25 FCC Rcd 18762, 18808-09, para. 105 (2010) (Schools and Libraries Sixth Report and Order); Modernizing the E-Rate Program for Schools and Libraries, WC Docket No. 13-184, Report and Order and Further Notice of Proposed Rulemaking, 29 FCC Rcd 8870, 8917-18, para. 120 (2014) (First 2014 E-Rate Order) (removing VPNs and all other services under “Data Protection” other than basic firewalls and uninterruptible power supply/battery backup from the upcoming FY 2015 Eligible Services List to re-focus E-Rate support on internal connections necessary for deploying LANs/WANs). The Commission uses several criteria to determine whether to add services to the eligible services list (ESL). First, under the statute, a service must serve an educational purpose. See 47 U.S.C. § 254(h)(1)(B); see also Schools and Libraries Sixth Report and Order, 25 FCC Rcd at 18805, para. 99. Second, the service should be primarily or significantly used to facilitate connectivity. 47 U.S.C. § 254(h)(2)(A). Third, due to the program’s limited funds, the Commission must balance the benefits of particular services with the costs of adding them to the list of supported services. Id.; see also Schools and Libraries Sixth Report and Order, 25 FCC Rcd at 18805, para. 99. Section 254(h)(2)(A) of the Communications Act authorizes the Commission to designate services eligible for E-Rate support as part of its authority to enhance, to the extent technologically feasible and economically reasonable, access to advanced telecommunications and information services. 47 U.S.C. § 254(h)(2)(A). Thus, the E-Rate program is not able to fund every service that potentially serves an educational purpose, and for that reason the Commission evaluates the potential impact of funding a particular service on the E-Rate program and the USF, when considering whether to add new services to the eligible services list. In doing so, the Commission explained that it “must balance the benefits of such protections with the costs of augmenting [the] list of supported services . . . Although [the Commission] agree[s] that protection from unauthorized access is a legitimate concern, the funds available to support the E-Rate program are constrained. Therefore we find that, on balance, the limited E-Rate funds should not be used to support these services.” Schools and Libraries Sixth Report and Order, 25 FCC Rcd at 18808-09, para. 105; see also Modernizing the E-Rate Program for Schools and Libraries, WC Docket No. 13-184, Report and Order, 34 FCC Rcd. 11219, 11237, para. 46 (2019) (declining to fund network security features consistent with the Commission’s reasoning in the 2014 First E-Rate Order). 13. COVID-19 and Cybersecurity Petitions, Eligible Services List Filings, and Public Notice. During the COVID-19 pandemic, several E-Rate stakeholders submitted petitions asking the Commission to reconsider the eligibility of advanced firewall and network security services given the increased use of schools’ broadband networks to provide remote learning to their students. On August 20, 2020, Cisco submitted a petition for waiver asking that the Commission raise applicants’ category two budgets by 10% and allow category two funding to be used for advanced network security services during the COVID-19 pandemic (i.e., for funding years 2020 and 2021). Petition of Cisco Systems, Inc. for Waiver, WC Docket No. 13-184, at 1-2, 6 (filed Aug. 20, 2020), https://www.fcc.gov/ecfs/search/search-filings/filing/10820400607480. The Commission did not grant Cisco’s Petition for Waiver. Rather, it sought comment on the underlying issues raised in the petition. See infra para. 16. On February 8, 2021, the FCC received a petition for declaratory ruling and petition for rulemaking from a group of E-Rate program stakeholders The E-Rate stakeholders included the Consortium for School Networking (CoSN), Alliance for Excellence in Education, State Educational Technology Directors Association (SETDA), Council of the Great City Schools, State E-Rate Coordinators’ Alliance (SECA), and Schools, Health & Libraries Broadband (SHLB) Coalition). requesting that the definition of “firewall” be modified to include all firewall and related features (e.g., next-generation firewall protection, endpoint protection, and advanced security), and to update the definition of broadband to include cybersecurity. Petition of CoSN et al. for Declaratory Relief and Rulemaking Allowing Additional Use of E-Rate Funds for K-12 Cybersecurity, WC Docket No. 13-184, at 2 (filed Feb. 8, 2021), https://www.fcc.gov/ecfs/search/search-filings/filing/1020811446893. The Consortium for School Networking (CoSN), along with Funds for Learning (FFL), provided a study and the costs associated with adding advanced firewall and other network security services to the E-Rate program and estimated that it would cost the program about $2.389 billion annually to fund these advanced firewall and other network security services for all K-12 schools. Id. at 14, Attach. at 4. They also asked the Commission to increase the current category two budgets to include additional funding for advanced firewall and other network security services. Id. at 13. 14. As part of last year’s Eligible Services List (ESL) proceeding, a group of E-Rate stakeholders submitted comments, reply comments, and ex parte submissions requesting that the Commission reconsider its earlier eligibility decisions and clarify that advanced or next-generation firewalls and services, as well as other network security services, are eligible for E-Rate support. Wireline Competition Bureau Seeks Comment on Requests to Allow the Use of E-Rate Funds for Advanced or Next-Generation Firewalls and Other Network Security Services, WC Docket No. 13-184, Public Notice, DA 22-1315, 2022 WL 17886490, at *7, Appendix A (WCB Dec. 14, 2022) (December 2022 Public Notice). During that proceeding, AASA, along with 19 other national educational organizations, requested that the Commission take a measured approach in deciding whether to expand the eligibility of advanced firewalls and services, as well as other cybersecurity services. See Letter from AASA, The School Superintendents Association, et al., to Jessica Rosenworcel, Chairwoman, Brendan Carr, Geoffrey Starks, and Nathan Simington, Commissioners, FCC, CC Docket No. 02-6, at 1 (filed Sept. 23, 2022), https://www.fcc.gov/ecfs/document/10923187101919/1 (“E-Rate alone cannot defray the costs of technology and training necessary to secure school and library networks and data.”). These stakeholders urged the Commission to work collaboratively with other federal agencies to “determine the products and services that are available and effective in responding to and preventing cyberattacks[;] . . . schools should not be driving the response to cyberattacks, nor should E-Rate, the only federal funding stream supporting connectivity in schools, be repurposed/redirected for this important effort.” Id. 15. On November 15, 2022, the Commission also received a proposal from FFL for the Commission to establish a three-year pilot program to fund advanced firewalls and services as a category two service. See, e.g., Letter from John D. Harrington, Chief Executive Officer, Funds for Learning, to Jessica Rosenworcel, Chairwoman, Brendan Carr, Geoffrey Starks, Nathan Simington, Commissioners, FCC, CC Docket No. 02-6, WC Docket No. 13-184 (filed Nov. 15, 2022), https://www.fcc.gov/ecfs/document/111630719929/1 (FFL Nov. 15 Ex Parte Letter); Letter from John D. Harrington, Chief Executive Officer, Funds for Learning, to Marlene H. Dortch, Secretary, FCC, CC Docket No. 02-6, WC Docket No. 13-184 (filed Nov. 21, 2022), https://www.fcc.gov/ecfs/document/1122304899639/1 (FFL Nov. 21 Ex Parte Letter); Letter from John D. Harrington, Chief Executive Officer, Funds for Learning, to Marlene H. Dortch, Secretary, FCC, CC Docket No. 02-6, WC Docket No. 13-184 (filed Nov. 23, 2022), https://www.fcc.gov/ecfs/document/112325067454/1 (FFL Nov. 23 Ex Parte Letter) (collectively, FFL Ex Parte Letters). FFL also proposed that a funding cap of at least $60 million to $120 million be used for each of the three years. FFL Nov. 23 Ex Parte Letter at 1. FFL further proposed that in the event demand exceeds available funds, that the pilot funding be prioritized to the applicants with the highest discount rates, and that the Commission deny funding for the remaining applicants with lower discount rates when the capped pilot funds are exhausted. Id. at 2-3. 16. In response to the cybersecurity petitions, FY 2023 ESL filings, and the proposed FFL pilot cybersecurity program, and in light of the increasing number of cybersecurity threats targeting K-12 schools, the Wireline Competition Bureau (Bureau) issued a Public Notice on December 14, 2022, seeking comment on a variety of topics, including the definition of advanced or next-generation firewalls and services, the specific cybersecurity equipment and services the E-Rate program should fund as advanced or next-generation firewalls and services, the appropriate categorization of the firewalls and services, the Commission’s legal authority to extend E-Rate eligibility to the firewalls and services, and the impact that funding the firewalls and services could have on the E-Rate program’s longstanding goal of basic connectivity. See generally December 2022 Public Notice. Comments were due on February 13, 2023, and replies were due on March 30, 2023. 17. As Congress and the GAO recognize, agencies like CISA and the DOE have greater expertise in identifying and combatting K-12 school cyber threats and attacks; See generally GAO K-12 Cybersecurity Report. thus, the Commission has been working with CISA and the DOE to leverage their strengths in addressing K-12 school cybersecurity issues. See, e.g., GAO K-12 Cybersecurity Report at 20. However, based on the record developed in response to the December 2022 Cybersecurity Public Notice, we now consider whether expanding universal service support to protect schools and libraries from cyber threats and attacks could advance the key universal service principles of providing quality Internet and broadband services to eligible schools and libraries at just, reasonable, and affordable rates; and ensuring schools’ and libraries’ access to advanced telecommunications services. 47 U.S.C. § 254(b)(1), (b)(6). Data from the GAO K-12 Cybersecurity Report indicates that lack of access to advanced or next-generation firewalls and services may frustrate the ability of schools’ and libraries’ to maintain critical and uninterrupted educational services, GAO K-12 Cybersecurity Report at 12-13 (discussing DDoS attacks at Winthrop Public Schools and Miami-Dade County Public Schools that disrupted learning on the schools’ networks and web-based systems, and school district closures in Connecticut due to cyber incidents). resulting in lengthy operational downtimes See GAO K-12 Cybersecurity Report at 3, n.8, 14-16 (discussing detailed downtime research conducted by Comparitech Limited, a research organization that provides information, tools, reviews, and comparisons to readers to help improve their online cybersecurity and privacy). and significant monetary losses GAO K-12 Cybersecurity Report at 12, 16 (discussing a ransomware attack on a vendor for Chicago Public Schools that resulted in the release of sensitive personal data for more than 500,000 students and staff members and another in Texas for which a school district made a $500,000 ransomware payment). that could thwart the provision of quality Internet and broadband services at just, reasonable, and affordable rates. The same data shows that “[l]ow-income [school] districts are in many cases most at-risk and vulnerable to cyberattacks and need focused support given lack of financial resources[,]” CISA K-12 Cybersecurity Report at 4 (highlighting that lack of financial resources can be a contributor for a school being targeted for a cyberattack). indicating that a lack of access to these cybersecurity services may potentially frustrate the universal service principle that access to advanced telecommunications and information services should be available in all regions of the nation, as well as frustrate the E-Rate program’s longstanding goal of providing connectivity to and within schools and libraries. III. DISCUSSION 18. Mindful of the need to protect universal service funding and aware that basic firewall services may be insufficient alone to protect E-Rate-funded broadband networks, we propose a three-year Pilot program to ascertain whether supporting cybersecurity and advanced firewall services with universal service support could advance the key universal service principles of providing quality Internet and broadband services to K-12 schools and libraries at just, reasonable, and affordable rates; and ensuring schools’ and libraries’ access to advanced telecommunications provided by Congress in the Telecommunications Act of 1996. To accomplish this, we propose a pilot structure similar to the one the Commission used in the Connected Care Pilot Program. Specifically, interested K-12 schools and libraries would apply to be Pilot program participants by submitting an application containing information about how they would use the Pilot funds and providing information about their proposed cybersecurity and advanced firewall projects. If selected, the applicants would apply for funding for Pilot-eligible services and equipment. Pilot participants receiving a funding commitment would be eligible to begin receiving cybersecurity and advanced firewall services and equipment, and would submit invoices for reimbursement. A. Goals and Data Reporting 19. It is important that we define the goals of the proposed Pilot program, as well as establish criteria to measure progress towards those goals. This will help the Commission and other federal, state, and local stakeholders to determine whether, and how, to provide funding for cybersecurity and advanced firewall services after the Pilot ends. To that end, we propose three goals: (1) improving the security and protection of E-Rate-funded broadband networks and data; (2) measuring the costs associated with cybersecurity and advanced firewall services, and the amount of funding needed to adequately meet the demand for these services if extended to all E-Rate participants; and (3) evaluating how to leverage other federal K-12 cybersecurity tools and resources to help schools and libraries effectively address their cybersecurity needs. 20. Improving the security and protection of E-Rate-funded broadband networks and data. We first propose a goal for the proposed Pilot program of improving the security and protection of E-Rate-funded broadband networks and data. As the Council of the Great City Schools stated, “schools and libraries desperately need assistance to acquire advanced . . . firewalls to protect the integrity of their broadband connections, networks and data.” Council of the Great City Schools Reply at 3. Funding made available by the proposed Pilot may be able to help participants acquire the cybersecurity and advanced firewall services and equipment needed to improve the security and protection of their broadband networks and data. We seek comment on how we can measure whether the Pilot is effective in protecting and securing E-Rate-funded broadband networks and data. We also seek comment on this proposed goal and related questions. 21. Measuring the costs and effectiveness of Pilot-funded cybersecurity and advanced firewall services and equipment. Next, we propose a goal of measuring the costs and effectiveness of cybersecurity and advanced firewall services and equipment. The Pilot can help the Commission and other federal, state, and local government agencies gather additional data on the types of new services and equipment that applicants will purchase to address network and data security concerns, and the associated cost and effectiveness of Pilot-funded services and equipment. Data provided in FCC Forms 470 and 471 (or their Pilot program equivalent) can aid the Commission in measuring the costs of cybersecurity and advanced firewall services and equipment. What data should be collected on the effectiveness of the funded equipment and services? For example, should Pilot participants be required to submit data on the number of intrusion attempts, number of successful attacks, mean time to detection and response, estimated cost of each attack, etc.? What other accepted metrics should we require Pilot participants to monitor and record? For example, should we collect data on the number and percent of students and school and library staff using multi-factor identification, the frequency of school and library staff and, separately, student cyber training sessions, and participation rates? Should Pilot participants be required to assess awareness and readiness of school and library staff based on available guidance from CISA or other expert organizations? Should all or some of these potential requirements be standardized across Pilot participants to allow for comparative analysis of outcomes? The proposed intent of this Pilot is to also determine the most cost-effective use of universal service funding to help schools and libraries proactively address K-12 cybersecurity issues. We seek comment on this proposed goal and related questions. 22. Evaluating how to leverage other federal resources to address schools’ and libraries’ cybersecurity threats. Third, we propose a goal of evaluating how to best leverage other federal resources to help schools and libraries proactively address K-12 cybersecurity issues. CISA, DOE, and NIST have made a wide array of free and low-cost K-12 cybersecurity tools and resources available to schools and libraries. See, e.g., supra notes 4-6. Also, as discussed above, more resources beyond funding are needed for schools and libraries to effectively protect their broadband networks and data from cyberattacks and other cyber threats. As part of this Pilot, the Commission intends to coordinate with its federal partners in identifying the most impactful tools and resources to help schools and libraries effectively protect themselves and address these cybersecurity issues. For example, DOE plans to establish a Government Coordinating Council (Council) to coordinate the activities of federal leaders in taking actions to help protect school networks. Press Release, U.S. Department of Education, U.S. Department of Education Announces Key K-12 Cybersecurity Resilience Efforts (Aug. 7, 2023), https://www.ed.gov/news/press-releases/department-of-education-announces-k-12-cybersecurity-resilience-efforts. What role can the Pilot play to complement the efforts of other agencies that will participate in the Council? In addition, the CISA K-12 Cybersecurity Report contains three key recommendations for schools and libraries that would immediately improve their cybersecurity postures, the first of which recommends implementing a “small number of the highest priority steps”, including implementing multi-factor authentication, fixing known cybersecurity flaws, performing and testing back-ups, minimizing exposure to common attacks, developing and exercising a cyber incident response plan, and creating a training and awareness campaign. See CISA K-12 Cybersecurity Report at 12-15 (providing three key recommendations for K-12 schools to undertake to improve their cybersecurity posture immediately). Should the Pilot target funding to allow schools and libraries to implement some or all of the items contained in the list of highest priority steps from CISA’s first recommendation to help them address K-12 cybersecurity issues (e.g., multi-factor authentication, correcting known security flaws, performing and testing system backups, etc.)? See CISA K-12 Cybersecurity Report at 12-14 (describing the six highest-priority steps from the first key recommendation for schools to take to address K-12 cybersecurity concerns). Should schools and libraries be required to implement a certain number of these free and low-cost tools to be eligible to receive Pilot funding for cybersecurity and advanced firewall services, and if so how should this requirement be enforced? See CISA K-12 Cybersecurity Report at 17 and n.30 (providing information on CISA’s free cybersecurity resources and tools). Furthermore, DOE has made a number of recommendations in its K-12 Digital Infrastructure Briefs aimed at making K-12 networks safe, accessible, resilient, sustainable, and future-proof. See generally DOE & CISA Defensible and Resilient Brief, DOE Adequate and Future Proof Brief, and DOE Privacy Enhancing Brief. How should the Pilot account for these recommendations? How can the Pilot funding incentivize schools and libraries to take full advantage of other available free and low-cost K-12 cybersecurity tools and resources? How can the Pilot leverage USAC’s established relationships with and processes for distribution of training to the schools and libraries to facilitate the efforts of CISA, DOE, and NIST in order to provide technical assistance or capacity building for Pilot participants? We seek comment on this proposed goal and how best to implement and measure success. 23. How can the Commission best measure progress towards these proposed performance goals, to ensure that the limited Pilot funds are used most impactfully and effectively to help schools and libraries protect their broadband networks and data? For example, by what objective criteria can we determine whether the funding provided through the Pilot actually improved the protection and security of schools’ and libraries’ broadband networks and data? What information would we need to collect to compare Pilot results against those criteria? Are there best practices and recommendations that we can rely on from expert agencies or organizations that have undertaken similar or related cybersecurity pilots? What outcomes should we measure? For example, in this Pilot should we measure the reductions in the number of cyberattacks; average cost of an attack; time to detect and respond to a cyber threat; staff and user awareness/readiness; or some other measure(s)? 24. How should the Commission evaluate the Pilot? We propose that Pilot participants submit certain information to apply for the Pilot, a progress report for each year of the pilot, and a final report at the conclusion of the Pilot program. Our intent is to collect information and data that would not involve the collection of PII in evaluating our proposed goals. We further propose that these reports contain information on how the Pilot funding was used, any changes or advancements that were made to the school’s or library’s cybersecurity efforts outside of the Pilot-funded services and equipment, and the number of cyber incidents CISA defines a cyber incident (or incident) as “[a]n occurrence that actually or potentially results in adverse consequences to (adverse effects on) (poses a threat to) an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.” See CISA National Initiative for Cybersecurity Careers and Studies (NICCS), Vocabulary, https://niccs.cisa.gov/cybersecurity-career-resources/vocabulary#C (last visited Nov. 9, 2023). that occurred each year of the Pilot program and whether the school or library was successful in defending its broadband network and data for each incident. We seek comment on these proposals. Are there any other cybersecurity assessments or evaluations that participants should conduct to determine whether the Pilot-funded cybersecurity and advanced firewall services and equipment bolstered the school’s or library’s cybersecurity posture, even absent a breach or other cyber incident? What is the data or information that the Commission should be collecting in the proposed progress and final reports? What could the Commission do to allow comparability across pilots? Are there any public sources of information that the Commission can also use to determine the impact of the Pilot program in addressing K-12 cybersecurity issues, and if so, does this data impact what we require participants to submit in their reports to the Commission? B. Structure of the Pilot Program 25. Next, we discuss the overall structure for the proposed Pilot program. Building on our experience administering the Connected Care Pilot Program, See generally Promoting Telehealth for Low-Income Consumers; COVID-19 Telehealth Program, WC Docket Nos. 18-213 and 20-89, Report and Order, 35 FCC Rcd 3366 (2020) (Connected Care Pilot Order). we propose a similar structure for the proposed Pilot program, and discuss in more detail below. 26. Overall Structure. We propose to structure the proposed Pilot program in a manner similar to the Connected Care Pilot Program. Under this proposal, interested schools and libraries would apply to be a Pilot participant. Those schools and libraries that are selected to participate will be provided an opportunity to apply for Pilot funding for eligible services and equipment. Participants will then receive a funding commitment, and can begin to receive equipment/services and submit invoices for reimbursement. Further, we propose that the Universal Service Administrative Company (USAC), the FCC’s administrator for universal service programs, be appointed as the permanent administrator of the Pilot program. We seek comment on this general structure for the proposed Pilot program. 27. We further propose that interested participants will be required to submit an application describing their proposed use of Pilot funds, and provide information that will facilitate the selection of high-quality projects that will best further the goals of the proposed Pilot program. At a minimum, we propose that Pilot applications require the following information: i. Name, address, and contact information for the interested school or library. For school district or library system applicants, the name and address of all schools/libraries within the district/system, and contact information for the district or library system. ii. Description of the Pilot participant’s current cybersecurity posture, including how the school or library is currently managing and addressing its current cybersecurity risks through prevention and mitigation tactics, and a description of its proposed advanced cybersecurity action plan should it be selected to participate in the Pilot program and receive funding. iii. Description of any incident of unauthorized operational access to the Pilot participant’s systems or equipment within a year of the date of its application; the date range of the incident; a description of the unauthorized access; the impact to the K-12 school or library; a description of the vulnerabilities exploited and the techniques used to access the system; and identifying information for each actor responsible for the incident, if known. iv. Description of the Pilot participant’s proposed use of the funding to protect its broadband network and data and improve its ability to address K-12 cyber concerns. This description should include the types of services and equipment the participant plans to purchase and the plan for implementing and using the Pilot-funded equipment and services to protect its broadband network and data, and improve its ability to manage and address its cybersecurity risks. v. Description of how the Pilot participant plans to collect and track its progress in implementing the Pilot-funded equipment and services into its cybersecurity action plan, and for providing the required Pilot data, including the impact the funding had on its initial cybersecurity action plan that pre-dated implementation of Pilot efforts. We seek comment on these proposed requirements, and whether additional information should also be required. We propose that Pilot participants will submit these applications via an online platform, designed and operated by USAC, and seek comment on this proposal. Are there any confidentiality or security concerns with providing the above information, and if so, what protections should be implemented to protect potentially sensitive data regarding a prospective applicant’s current cybersecurity posture? How can the Commission best leverage its experience receiving applications in USF programs, for example, E-Rate, Rural Health Care, and the Connected Care Pilot Program, as well as in the appropriated programs, like COVID-19 Telehealth, Emergency Connectivity Fund (ECF), and the Affordable Connectivity Program (ACP) Outreach grants? Are there any lessons learned from the Connected Care Pilot Program and other FCC pilot programs that we can benefit from when establishing the proposed Pilot program? We further propose that the Bureau review applications and select participants, in consultation with the Office of Economics and Analytics (OEA), the Public Safety and Homeland Security Bureau (PSHSB), and the Office of the Managing Director (OMD), as needed, and seek comment on this proposal. Lastly, to assist with program administration and ensure that the proposed Pilot program runs efficiently, we propose to delegate to the Bureau the authority to implement the proposed Pilot program and to direct USAC’s administration of the Pilot program, consistent with the Commission’s rules and orders, and seek comment on this proposal. We further propose that this delegation includes the authority for the Bureau and/or USAC to request additional information from Pilot applicants, as needed. 28. Pilot Program Duration. We propose that the Pilot program will make funding available to participants for a three-year term, and seek comment on this proposal. Does a three-year term provide sufficient data to the Commission to evaluate how effective the Pilot funding is in protecting K-12 schools and libraries, and their broadband networks and data, from cyberattacks and other cyber threats? We acknowledge that there may be a tradeoff between learning more from the Pilot program and moving quickly to potentially expand support to protect all K-12 schools’ and libraries’ broadband networks and data from cyber threats. Are there ways to shorten the length of the Pilot, for example, by using a single application window that remains open until funds are exhausted, without compromising the amount or quality of the data the Pilot will generate? See, e.g., Letter from CoSN, SHLB, ALA, et al., to Jessica Rosenworcel, Chairwoman, Federal Communications Commission, CC Docket No. 02-6, WC Docket No. 13-184 (filed Aug. 7, 2023). Should the Pilot program period include additional ramp-up time, to allow participants an opportunity to prepare for the Pilot? Should the Pilot program include additional time at the end of the three-year term for the Commission to evaluate results? We seek comment on the three-year term proposal and these related questions. 29. Pilot Budget. We propose a budget of $200 million over the three-year duration of the proposed Pilot program, and seek comment on this proposal. See, e.g., FFL Nov. 23 Ex Parte Letter at 1 (requesting $60 million to $120 million per year in funding for a proposed cybersecurity pilot program); SHLB Coalition Reply at 2 (“The Commission should increase the Category Two budget cap by $100 million per year for the next two years to give schools and libraries the opportunity to address their cybersecurity needs.”). Will a budget of $200 million be sufficient to obtain and receive meaningful data on how this funding helped to protect schools’ and libraries’ broadband networks and data and improved their ability to address K-12 cyber issues? Conversely, would a lower budget be sufficient for these purposes (e.g., $100 million) while also putting less pressure on the contribution factor? How should the total Pilot program budget be distributed over the three-year funding period? Should each selected project’s funding commitment be divided evenly across the Pilot program duration? For example, if a selected project requests and receives a $9 million funding commitment and the funding period is three years, should the project receive $3 million for each year? Alternatively, are there reasons why a Pilot participant may need access to a greater amount of funding up front? If we allow Pilot participants to access a greater amount earlier in the term, how can we forecast a predictable budget over the three-year term? We seek comment on these questions. 30. As this proposed Pilot should not divert resources from the existing universal service support programs, we propose requiring USAC to separately collect on a quarterly basis the funds needed for the duration of the Pilot program. Pursuant to section 54.709(a)(3) of the Commission’s rules, as part of the process by which the Commission establishes the quarterly contribution factor, the Administrator (Universal Service Administrative Company or USAC) must provide the Commission each quarter with its projection of total demand and administrative expenses for the universal service support mechanism. See 47 CFR § 54.709(a)(3). We expect that funding the Pilot program in this manner would not significantly increase the contributions burden on consumers. For example, if the Pilot program funds were evenly distributed over the proposed three-year funding period (e.g., approximately $66 million per year), using the 3rd Quarter 2023 projected collected revenues of $8,534 billion, we estimate that the proposed Pilot budget would result in an approximately 0.4% increase in the contribution factor.  See Proposed Third Quarter 2023 Universal Service Contribution Factor, Public Notice, CC Docket No. 96-45 (OMD June 14, 2023), https://docs.fcc.gov/public/attachments/DA-23-507A1.pdf.   This approach also would not impact the budgets or disbursements for the other universal service programs. We seek comment on this approach. Should the collection be based on the quarterly demand for the Pilot program? We also propose to have excess collected contributions for a particular quarter carried forward to the following quarter to reduce collections. 47 CFR § 54.709(b) (describing the default practice of carrying forward excess contributions to the following quarter to decrease contributions). Under this approach, we also propose to return to the Fund any funds that remain at the end of the Pilot program. Are there other approaches we should consider for funding the Pilot program? Are there any tradeoffs between allocating funding to the proposed Pilot program as it relates to the size of the E-Rate program and the USF more generally? We also seek comment on whether the costs associated with the proposed Pilot program will impact other stakeholders’ requests related to the use of universal service and E-Rate funding, such as allowing ECF-funded services to continue to be funded through the E-Rate program after the ECF program sunsets. See, e.g., SHLB Coalition, et. al, Petition for Expedited Declaratory Ruling and Waivers Allowing the Use of E-rate Funds for Remote Learning During the Covid-19 Pandemic, Modernizing the E-rate Program for Schools and Libraries, WC Docket No. 13-184 (Jan. 26, 2021), https://www.fcc.gov/ecfs/search/search-filings/filing/101260036427898; Letter from Kristen Corra, Policy Counsel, SHLB Coalition, to Marlene H. Dortch, Secretary, FCC, WC Docket Nos. 13-184 and 21-93 (June 6, 2023), https://www.fcc.gov/ecfs/search/search-filings/filing/106061384907152 (SHLB Ex Parte). Will the proposed $200 million budget help alleviate any concerns about the impact that this Pilot may have on the USF? How can we best balance the need to provide funding for cybersecurity and advanced firewall services with our responsibility as a careful and prudent steward of limited federal resources? 31. Should we establish a maximum funding cap per Pilot participant? Should we establish a per-student cap (and a corresponding cap on libraries based on their square footage), based on commercially available costs? Are there data sources for cost information that would be appropriate to use in setting such a cap? Or should we allow selected Pilot participants to receive a different amount of funding that aligns with their application? Should we adjust awards based on the Pilot participant’s category two discount rate level? See, e.g., 47 CFR § 54.505(b) (providing the calculation for an applicant’s discount rate for eligible E-Rate equipment and services). Should Pilot participants be required to contribute and be responsible for a portion of the costs in order to receive Pilot program funding? See, e.g., 47 CFR § 54.523 (requiring payment for the non-discounted portion of costs). For example, we propose that Pilot participants will be subject to their current category two discount rate as the non-discounted share of costs for the Pilot program; should we instead require participants to contribute a fixed percentage of the costs of the services and equipment purchased? How can the Commission ensure Pilot participants are making cost-effective purchases through this Pilot program? 32. Should the Commission disburse a smaller amount of funding to a larger number of Pilot participants to increase the total volume of cybersecurity data available? Or should we disburse a larger amount of funding to fewer Pilot participants to obtain a more holistic look at how the support could best be used to protect E-Rate-funded broadband networks and data, as well as help K-12 schools and libraries address cybersecurity issues? Which approach would generate the best data to determine whether and how universal service support could most effectively be leveraged to help K-12 schools and libraries protect their E-Rate-funded broadband networks and data from targeted cyberattacks and other cyber threats? 33. Under our proposals, once selected, Pilot participants will be required to submit funding applications for the requested services and equipment. To ease administration of the Pilot, we propose that participants be permitted to seek funding for services and equipment to be provided over the proposed three-year term in a single application and be supported by multi-year contract/agreement(s) for this term. We seek comment on these proposals and questions. C. Eligibility and Selection of Pilot Participants 34. We next discuss what types of entities should be eligible to participate in the proposed Pilot program. In doing so, we note that the number and type of schools and libraries that participate in the E-Rate program vary significantly. Who should be eligible to participate in the Pilot program and how should we select Pilot participants? How can we ensure that the Commission identifies a wide cross-section of Pilot participants to allow it to evaluate the effectiveness of providing universal service support for K-12 schools’ and libraries’ cybersecurity needs, and do so in a fair and transparent manner? Should we limit eligibility to schools and libraries currently participating in the E-Rate program or should we expand eligibility to include schools and libraries that do not currently participate in the E-Rate program? Should we select Pilot participants based on specific objective factors like: E-Rate category two discount rate levels; location (e.g., urban vs. rural); and/or participant size (i.e., small schools, school districts, and libraries vs. large schools, school districts, and libraries)? How should we define, or what sources should we use to define, these factors to ensure they are applied objectively? For example, the E-Rate program requires USAC to designate a school or library as “urban” “if the school or library is located in an urbanized area or urban cluster with a population equal to or greater than 25,000, as determined by the most recent urban-rural classification by the Bureau of the Census. [USAC] shall designate all other schools and libraries as rural.” 47 CFR § 54.505(b)(3). The National Center for Education Statistics provides “Large, Mid-size, and Small” public elementary and secondary school enrollment statistics by “City, Suburban, Town, and Rural" locales. See National Center for Education Statistics, Digest of Education Statistics, https://nces.ed.gov/programs/digest/d22/tables/dt22_214.40.asp (last visited Nov. 9, 2023). Are any of these factors (i.e., discount rate level, urban vs. rural, large vs. small) more or less important than others from an eligibility perspective? If yes, why are particular factors more or less important than others? Are there other factors we should consider when determining who should be eligible to participate in the Pilot and how participants should be selected? For example, would the Pilot benefit from including schools and libraries that have advanced expertise in cybersecurity as participants because they presumably would know how to best spend the Pilot funding? Or, should cybersecurity expertise not be a factor at all in the selection of Pilot participants? How can we ensure that schools and libraries that lack funding, expertise, or are otherwise under-resourced can meaningfully participate in the Pilot? Is there a way to compare the cybersecurity performance of Pilot participants against non-participants (e.g., through the use of a survey or other data collection process) in a way that contrasts the current cybersecurity posture of Pilot participants with that of non-participants? To be eligible for the Pilot program, should Pilot participants be required to demonstrate that they have started taking actions to improve their cybersecurity posture by, for example, starting to implement some of the DOE and CISA K-12 cybersecurity recommendations or potential forthcoming Council guidance or other similar actions? Or conversely, should a school or library be required to provide a certification or other confirmation that, absent participation in the Pilot, it does not have the resources to start implementing CISA’s K-12 cybersecurity recommendations? We seek comment on these preliminary participant eligibility questions. 35. In today’s broadband-reliant environment, there are a plethora of evolving cyber threats and attacks. See, e.g., Shruti M, Types of Cyber Attacks You Should Be Aware of In 2023 (May 5, 2023), https://www.simplilearn.com/tutorials/cyber-security-tutorial/types-of-cyber-attacks (discussing 54 cyberattacks to be aware of in 2023); Fortinet, Types of Cyber Attacks, https://www.fortinet.com/resources/cyberglossary/types-of-cyber-attacks (last visited Nov. 9, 2023) (discussing the 20 most common types of cyberattacks); J.R. Tietsort, What is a Cyber Attack? How Do They Happen? (Apr. 6, 2023), https://www.aura.com/learn/types-of-cyber-attacks (discussing the 17 types of cyberattacks commonly used by hackers); Kurt Baker, 10 Most Common Types of Cyber Attacks (Feb. 13, 2023), https://www.crowdstrike.com/cybersecurity-101/cyberattacks/most-common-types-of-cyberattacks/ (discussing the 10 most common types of cyberattacks). Should we limit schools’ and libraries’ eligibility to participate in the Pilot program to those schools and libraries that have faced or are facing certain types of cyber threats or attacks? If so, which cyber threats or attacks should qualify a school or library for participation in the Pilot program? Are there certain types of cyber threats or attacks that schools and libraries most commonly face and are there any emerging cyber threats or attacks that have only recently arisen? What types of cyber threats or attacks are the most harmful or costly for schools or libraries to combat and/or recover from? What difficulties have schools and libraries faced when attempting to address cyber threats and attacks on their own? We seek comment on the types of cyber threats and attacks encountered by schools and libraries and how they should be evaluated, if at all, when selecting Pilot participants. 36. Past experience also indicates that there may be common cyber threats CISA defines a cyber threat as “[a] circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.” See CISA National Initiative for Cybersecurity Careers and Studies (NICCS), Vocabulary, https://niccs.cisa.gov/cybersecurity-career-resources/vocabulary#T (last visited Nov. 9, 2023). and attacks CISA defines a cyberattack as “[a]n attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity.” See CISA National Initiative for Cybersecurity Careers and Studies (NICCS), Vocabulary, https://niccs.cisa.gov/cybersecurity-career-resources/vocabulary#T (last visited Nov. 9, 2023). faced by K-12 schools, school districts, and libraries regardless of their particular characteristics (e.g., urban vs. rural, and large vs. small). See supra note 95. However, the history of attacks also indicates that certain K-12 schools and libraries may be more likely than others to be targeted by malicious actors due to lack of information technology (IT) funding or constrained staff resources. See supra note 74. When selecting Pilot participants, should we consider an applicant’s previous history regarding cyber threats or attacks? If yes, should we select as Pilot participants schools and libraries with greater or fewer cyber incidents? How should we define, or what sources should we use to define, a “greater” versus “fewer” number of cyber incidents? Should we assess “greater” or “fewer” in absolute terms or relative terms? For instance, should a school district with 100,000 students and school staff that faces 1,000 cyber incidents per year be viewed as having more incidents than a school district with 10,000 students and school staff that faces 900 incidents per year? Or, should the latter school district be seen as having more cyber incidents on a per-student and school staff member basis? Would the Pilot benefit from including both schools and libraries that have never experienced a cyber threat or attack, as well as those that have experienced at least one cyber threat or attack? In commenters’ experience, are there certain types of schools or libraries that are more likely to face cyber threats or attacks? Are schools or libraries in certain geographic or socioeconomic settings more vulnerable than others to cyber threats or attacks? What role does lack of IT funding or constrained staffing resources play in the likelihood or frequency of cyber threats or attacks? When selecting Pilot participants, should cybersecurity risk, geographic or socioeconomic factors, staffing constraints or financial need, or technical challenges play a role in participant selection? We seek comment on the characteristics and circumstances that may result in a school or library being more or less likely to be targeted for a cyber threat or attack, and the role those characteristics should play in Pilot participant selection. Are there ways to ensure that under-resourced schools and libraries can meaningfully participate in the Pilot? For example, should the Commission direct USAC to provide assistance to schools and libraries that are under-resourced and may lack experience to assist them throughout the Pilot? We also encourage commenters to share any first-hand knowledge they may have regarding factors that may increase or decrease the likelihood of a school or library being targeted for a cyber threat or attack, and discuss if or how that information should be considered in the Pilot participant selection process. 37. Prerequisites. There are a number of free and low-cost cybersecurity tools and resources available to K-12 schools and libraries. See, e.g., CISA K-12 Cybersecurity Report at 22, Appendix 1: K-12 Resource Repository; CISA, Free Cybersecurity Services and Tools, https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools; CISA Online Toolkit, https://www.cisa.gov/online-toolkit-partnering-safeguard-k-12-organizations-cybersecurity-threats; see also CrowdStrike, Cybersecurity Against All Threats, https://go.crowdstrike.com/try-falcon-pro-cybersecurity-overview.html?utm_campaign=falcontrial&utm_content=ecom-treq-en-fpro-tct-us-psp-smb-trl-cybr-x_x_x_x-x&utm_medium=sem&utm_source=goog&utm_term=cybersecurity%20software&gad=1&gclid=EAIaIQobChMI9s2O5-mO_wIVqvfjBx0f5Q23EAAYASAAEgLJr_D_BwE (last visited Nov. 9, 2023); Fortinet, K-12 Cybersecurity – Top Internet Security Software, https://www.fortinet.com/solutions/industries/education/k12 (last visited Nov. 9, 2023); Verizon, Keep Your K-12 Schools Security Connected, https://www.verizon.com/business/resources/solutionsbriefs/cybersecurity-resources-for-k-12-schools.pdf (last visited May 25, 2023); Sophos, Adaptive Cybersecurity for Educational Institutions, https://www.sophos.com/en-us/solutions/industries/education (last visited Nov. 9, 2023); WatchGuard, Security In Education, https://www.watchguard.com/wgrd-solutions/industries/education (last visited Nov. 9, 2023); Scholarly Networks Security Initiative, For Librarians, https://www.snsi.info/librarian-resources/ (last visited Nov. 9, 2023) (discussing cybersecurity options for academic and higher education libraries). Should the Commission adopt any prerequisites for Pilot program participation? For example, should Pilot participants be required to take a more active role in improving/enhancing their cybersecurity posture? If so, how should this be monitored and enforced? For example, should Pilot participants be required to correct known security flaws and conduct routine backups as part of this Pilot program? See, e.g., CISA K-12 Cybersecurity Report at 14 (discussing correcting known security flaws and performing and testing system back-up as two high priority first steps). Should Pilot participants be required to participate in other federal efforts to share cybersecurity information and resources, such as the MS-ISAC See supra note 23 for a description of MS-ISAC. or the K12 SIX? See CISA K-12 Cybersecurity Report at 18 (recommending K-12 schools engage in collaboration and information sharing with other entities like MS-ISAC and K12 SIX). See also supra note 24 for a description of K12 SIX. Should Pilot participants be required to implement, or demonstrate how they plan to implement, recommended best practices from organizations like the DOE, CISA, and NIST, as they are able? See, e.g., CISA K-12 Cybersecurity Report at 15 (recommending the implementation of CPGs and the development of a cybersecurity plan that implements NIST’s Cyber Security Framework (CSF)). Should Pilot participants be required to take steps on their own to improve their cybersecurity posture by, for example, designating an officer or other senior-level staff member responsible for cybersecurity implementation, updates, and oversight, or implementing a cybersecurity training program for their staff and network users? We seek comment on these questions. 38. Should we only include as Pilot participants those schools and libraries that have already implemented or are in the process of implementing CISA’s K-12 cybersecurity recommendations, or have otherwise begun the process of implementing a cybersecurity framework or program? Are there any schools or libraries that have implemented or are in the process of implementing the DOE’s or CISA’s K-12 cybersecurity recommendations or another cybersecurity framework or program, to protect their E-Rate-funded networks and data? If so, what actions have been the most successful in establishing and implementing cybersecurity recommendations, or a cybersecurity framework or program? We also ask schools and libraries that are already implementing or experimenting with CISA’s K-12 cybersecurity recommendations, or another cybersecurity framework or program, to provide us with information about their cybersecurity projects and discuss how these actions should influence, if at all, the Pilot participant selection process. For schools and libraries that have not taken any preventative or mitigating actions, what are the key impediments to implementing a more robust cybersecurity posture? If cost is the reason that schools or libraries have been unable to implement and strengthen their cybersecurity posture, is there other federal, state, or local funding available that could be used in place of or in addition to universal service funding to help address cyber threats and attacks? If other sources of funding are available, should schools and libraries be required to seek or already have obtained cybersecurity funding commitments from other federal, state, or local sources to be eligible to participate in this proposed Pilot program? We seek comment on what prerequisites, if any, should be adopted to be a Pilot participant. D. Eligible Services and Equipment/Security Measures 39. In the December 2022 Public Notice, we sought comment on “the specific equipment and services that E-Rate should . . . fund as advanced or next-generation firewalls and services.” December 2022 Public Notice at *4. Nearly all commenters who opined on this topic advocated for the eligibility of at least next-generation firewalls. See, e.g., American Library Association Comments, WC Docket No. 13-184, at 5 (rec. Feb. 13, 2023) (ALA Comments); ADS Advanced Data Services Reply, WC Docket No. 13-184, at 1 (rec. Mar. 31, 2023) (ADS Reply); Cisco Systems, Inc. Comments, WC Docket No. 13-184, at 22-23 (rec. Feb. 13, 2023) (Cisco Comments); Consortium for School Networking et al. Comments, WC Docket No. 13-184, at 4 (rec. Feb. 13, 2023) (CoSN et al. Comments); Crown Castle Fiber LLC Comments, WC Docket No. 13-184, at 1 (rec. Feb. 13, 2023) (Crown Castle Comments); E-Rate Central Comments, WC Docket No. 13-184, at 2 (rec. Feb. 6, 2023) (filed on behalf of New York State Applicants) (NYS Applicants Comments); Fortinet, Inc. Comments, CC Docket No. 02-6, WC Docket No. 13-184, at 8 (rec. Feb. 13, 2023) (Fortinet Comments); Los Angeles Unified School District Coalition Reply, WC Docket Nos. 13-184 and 21-476, at 1 (rec. Mar. 20, 2023) (Los Angeles Coalition Reply); NCTA – The Internet & Television Association Comments, WC Docket No. 13-184, at n.2 (rec. Feb. 13, 2023) (NCTA Comments); Palo Alto Networks, Inc. Comments, WC Docket No. 13-184, at 2 (rec. Feb. 13, 2023) (Palo Alto Comments); Zscaler, Inc. Comments, WC Docket No. 13-184, at 2 (rec. Feb. 14, 2023) (Zscaler Comments) (each advocating for the eligibility of at least next-generation firewalls). Many of these commenters further advocated for the eligibility of a range of additional security measures, including some or all of: MFA, domain name system (DNS) security, distributed denial-of-service (DDoS) protection, and/or VPN. See, e.g., Hans Kirchner Comments, WC Docket No. 13-184, at 1 (rec. Feb. 9, 2023) (filed on behalf of Lincoln Intermediate Unit 12) (Lincoln Comments) (advocating for MFA and VPN protections); Cisco Comments at 22; E-Rate Provider Services, LLC Comments, WC Docket No. 13-184, CC Docket No. 02-6, at 4 (rec. Feb. 1, 2023) (E-Rate Provider Services Comments) (advocating for DNS security); NCTA Comments at 1 (advocating for DDoS protection) and n.2 (advocating for VPN protections); Kelton Independent School District Comments, WC Docket No. 13-184, at 1 (rec. Jan. 30, 2023) (Kelton Comments) (advocating for VPN protections). On the other hand, a small number of commenters urged the Commission to adopt general criteria for eligibility, rather than enumerate specific technologies (e.g., firewalls) as eligible, believing that this approach would provide E-Rate participants with appropriate flexibility in addressing their individualized security needs and ultimately better ensure the security of E-Rate-supported networks. See, e.g., Schools, Health & Libraries Broadband Coalition Reply, WC Docket No. 13-184, at 4-5 (rec. Mar. 30, 2023) (SHLB Coalition Reply) (“The Commission should structure the eligibility of cybersecurity solutions by functionality rather than by specific technology. . . . [T]he Commission should clarify that cybersecurity solutions that keep the network from being shut down and that protect the privacy of user data deserve to be protected, regardless of the specific technology used to achieve those goals.”); see also, e.g., ALA Comments at 3 (“[W]e ask the Commission to develop a broad, flexible definition of eligible security tools with the primary qualification being that the services requested improve network security.”). 40. Commenters, however, were opining on security measures that would be appropriate for inclusion in the E-Rate program rather than on security measures that would be appropriate for inclusion in today’s proposed Pilot. December 2022 Public Notice at *4. Therefore, to resolve any ambiguity and further develop the record specifically as to the proposed Pilot, we seek further comment on the security measures, including equipment and services, that should be made eligible to participants in the Pilot. We also seek comment on whether we should place restrictions on the manner or timing of a Pilot participant’s purchase of security measures. For example, should Pilot funding be limited to a participant’s one-time purchase of security measures or should the support cover the on-going, recurring costs that a Pilot participant may incur, for example, in the form of continual service contracts or recurring updates to the procured security measures? We note that an appropriate set of eligible measures and the timing for the security measures would balance the Commission’s goal of using the Pilot to meaningfully assess the effectiveness of a wide range of different security approaches with the need to conserve and efficiently use the limited funding available for the Pilot to gain sufficient insight into each of those approaches. As a preliminary point, we seek comment on whether the Commission should specify eligibility in terms of general criteria rather than as a list of specific technologies. If so, what should the eligibility criteria be? For example, should the Commission adopt the Schools, Health & Libraries Broadband Coalition’s (SHLB Coalition) proposed general criteria that would deem any security measure eligible as long as it “keep[s] the network from being shut down and . . . protect[s] the privacy of user data” SHLB Coalition Reply at 4-5. or would some other general criteria be more appropriate? Id. SHLB Coalition’s views notwithstanding, we believe that specifying an enumerated list of eligible security technologies/measures would provide more specific, and thus clearer, eligibility guidance to Pilot participants than would general eligibility criteria, ultimately leading to a more efficient use of the Pilot program’s funds. A finite list of allowable cybersecurity options would also make comparisons of outcomes more tractable across Pilot participants. On the other hand, are there concerns that potential evolutions in security measures/technologies during the duration of the Pilot would render an enumerated Commission list of eligible technologies/measures outdated before the end of the Pilot? Are there concerns that limited Pilot funds could be used inefficiently, or misused, if the Commission adopts an approach based on generalized criteria? Should eligibility be limited to cybersecurity measures that are primarily or significantly used to facilitate connectivity? 47 U.S.C. § 254(h)(2)(A). How does section 254 limit the kinds of cybersecurity solutions that can be purchased, and how they may be deployed, using pilot funds? We seek comment on these issues and more generally on the relative advantages and disadvantages of specifying eligibility in terms of an enumerated list of security measures/technologies as compared to general criteria. 41. If the Commission adopts a list of eligible measures/technologies, at what granularity should that list be specified? For example, should the Commission publish a specific list of security measures (similar to the Eligible Services List for the E-Rate program), to help participants understand which services and equipment are eligible for support through the proposed Pilot program? Should a list of resources from MS-ISAC be included in the application, so that applicants can easily select desired services from the list, thereby simplifying the application process? Moreover, what are the specific measures that should be included on that list? We note that a number of commenters opined that new security measures should be limited to advanced and next-generation firewalls, in the context of discussing the E-Rate program. See, e.g., E-Rate Provider Services Comments at 3. Are these the most important tools schools and libraries could adopt and how does the import of these cybersecurity tools compare to other tools identified in the record? For example, CISA and the DOE have identified things like MFA, regular software and hardware updates, and regular backups as important tools for combatting network threats. Do commenters continue to believe that focusing funding efforts primarily or exclusively on advanced and next-generation firewalls is appropriate in the context of today’s proposed Pilot, which would utilize separate USF funding and aims to evaluate the effectiveness of a wide range of security approaches? If the list of eligible security measures should be more expansive than advanced firewalls in the context of today’s Pilot, which other measures should be included? For example, should the Commission determine eligible measures based on the recommendations from the CISA K-12 Cybersecurity Report, the DOE K-12 Digital Infrastructure Briefs, and/or other federal partner resources and guides. If so, how? 42. Moreover, we note that while nearly all commenters advocated for the eligibility of at least advanced or next-generation firewalls and services, commenters generally disagree on which features an “advanced firewall” service includes. For example, commenters variously opined that advanced firewalls should include some or all of: intrusion detection and prevention, application-level inspection, anti-malware and anti-virus protection, VPN, DNS security, DDoS protection, and content filtering. See supra notes 107 and 108. If the Commission were to make advanced firewall services eligible, how should “advanced firewall” be defined for the purposes of the proposed Pilot program? Alternatively, given the lack of consensus around the scope of these terms, and the import of this technology, should the Commission simply make “firewalls” eligible for the Pilot without regard to whether they are “basic” or “advanced/next-generation” as has been suggested to the Commission? See, e.g., American Library Association Reply, WC Docket No. 13-184, at 2-3 (rec. Mar. 29, 2023) (ALA Reply); Cisco Comments at 22-23, 25 n.92; CoSN et al. Comments at 8; Illinois Office of Broadband Comments, WC Docket No. 13-184, at 3 (rec. Feb. 10, 2023) (IOB Comments) (all advocating that there should not be a distinction between basic and advanced firewalls, but also limiting the services as category 2 services subject to the applicants’ five-year budgets). If the Commission were to adopt a single, updated “firewalls” definition for purposes of the Pilot that includes advanced or next-generation firewalls, should the definition encompass intrusion detection and prevention, application-level inspection, anti-malware and anti-virus protection, VPN, DNS security, DDoS protection, and content filtering and/or other measures/technologies? Given the limited amount of funding available, which of these measures/technologies should the Commission prioritize for inclusion within a broader definition of “firewall” and for what reasons? 43. We further propose to limit Pilot eligibility to equipment that is network-based (i.e., that excludes end-user devices, including, for example, tablets, smartphones, and laptops) and services that are network-based and/or locally installed on end-user devices, where the devices are owned or leased by the school or library. To be eligible for the Pilot, we further propose that the equipment or services be designed to identify and/or remediate threats that could otherwise directly impair or disrupt a school’s or library’s network, including to threats from users accessing the network remotely. We note that this proposed eligibility criteria would apply regardless of whether the equipment or services are located within a school’s or library’s classroom or other physical premises. We believe that this eligibility criteria, which is not restricted to physical premises, would provide schools and libraries with the flexibility to cost-effectively procure remotely-located equipment and services obviating a potentially costly need to install, maintain, and troubleshoot solutions on-site. We also believe that this approach is consistent with the way that many modern security services are increasingly offered, i.e., as a remotely-located or cloud-based, centralized resource accessible via the Internet. We further believe that limiting eligible services to end-user devices owned or leased by a school or library strikes a reasonable balance between protecting those entities’ networks with the need to limit the scope of protections given the limited Pilot funding available. We believe that our approach also reflects the reality that schools and libraries often already restrict the permissions available to third-party-owned devices that connect to their networks. We seek comment on this proposed scope of eligibility or any further restrictions, or relaxation of this proposal, that would best protect school and library broadband networks at a reasonable cost. 44. As noted above, the DOE and CISA K-12 cybersecurity recommendations describe a broad range of steps that K-12 entities may utilize to address cybersecurity risks, and many of these steps go beyond the types of specific firewall and technical technologies/measures that the Commission has traditionally deemed eligible for reimbursement within the context of the E-Rate program. Supra paras. 8 and 10. For example, the DOE and CISA recommend that entities develop a mature cybersecurity plan, leverage existing free or low-cost cybersecurity services, negotiate for the inclusion of certain services with their technology providers, and engage in strategic collaboration, information-sharing, and relationship-building with other entities. Supra paras. 8 and 10; see also DOE & CISA Defensible and Resilient Brief at 7,11-12, 14-16, 19 (describing the joint DOE and CISA K-12 cybersecurity recommendations); CISA K-12 Cybersecurity Report at 11-12 (describing the CISA K-12 cybersecurity recommendations). CISA’s CPGs See CISA K-12 Cybersecurity Report at 3 (describing the CISA CPGs). similarly recommend a broad range of cybersecurity practices, including practices related to asset management, organizational cybersecurity leadership structure, and reporting processes, that entities may use to reduce their cyber risk and help them develop the cybersecurity plan needed to implement the NIST Cybersecurity Framework (CSF). See CISA K-12 Cybersecurity Report at 15 (describing the eventual goal of working to implement a cybersecurity plan to implement NIST’s CSF); DOE & CISA Defensible and Resilient Brief at 10-21 (discussing the interplay between the CISA CPGs and the NIST 1.1. five core functions). These recommendations again involve actions that go beyond the traditional measures that the Commission has found to be eligible for reimbursement in the E-Rate program. 45. We thus seek comment on whether the Commission should allow participants to use Pilot funds to meet any of the DOE or CISA K-12 cybersecurity recommendations or CISA CPGs, or otherwise improve/enhance their cybersecurity posture and, if so, what the appropriate restrictions or limitations on the eligibility of such measures should be. Does the Commission have legal authority to allow spending on these broader DOE and CISA recommendations and CISA CPGs? If so, based on which statutory provisions and other sources of authority? Alternatively, should Pilot funding be limited to equipment and services that can directly protect the E-Rate-funded broadband networks and data, as has traditionally been the case within the E-Rate program? 46. Similarly, does the Commission have legal authority to fund broader steps that entities may take to address cybersecurity risks, such as through staff or user cybersecurity training, that are necessary parts of a K-12 school’s or library’s cybersecurity plan/framework as part of this proposed Pilot program? Or should staff and user cybersecurity training be treated similarly as the necessary resources needed to be able to participate in the Pilot program, similar to the necessary resources rule for the E-Rate program? See 47 CFR § 54.504(a)(1)(iii). As discussed earlier, CISA has provided a number of free and low-cost K-12 cybersecurity tools and resources, including staff and user cybersecurity training in Appendix 1 to its K-12 Cybersecurity Report. See, e.g., CISA K-12 Cybersecurity Report, Appendix 1, at 22; see also NIST, National Initiative for Cybersecurity Education (NICE), Free and Low Cost Online Cybersecurity Learning Content, https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content (last visited Nov. 9, 2023); supra notes 4-6. We seek comment on these questions and what services and equipment should be eligible for support in the Pilot program. E. Applicability and Adoption of E-Rate Rules, Forms, and Processes 47. We propose that Pilot participants comply with new rules, proposed and provided in Appendix A, that largely reflect and mirror the Commission’s existing E-Rate rules, 47 CFR Part 54, Subpart F. including by requiring competitive bidding, prohibiting gifts, and requiring that a participant pay its non-discounted portion of the costs of the supported services. See 47 CFR §§ 54.503 (E-Rate competitive bidding requirements); 54.503(d) (E-Rate gift restrictions); 54.523 (E-Rate requirement for payment of the non-discount portion of supported services). We believe that this approach is appropriate given the structural similarities of E-Rate and the Pilot, which is designed to study the expansion of equipment and services supported by E-Rate program. We believe that the Pilot rules are likely to be effective for the same reason that the E-Rate rules, which have been developed and refined by the Commission over many years, have proven to be effective. We further believe that by modeling today’s proposed rules on the existing E-Rate rules, we would ease compliance burdens for Pilot participants who are likely already familiar with, and have appropriate compliance measures in place to address, existing E-Rate program requirements. We seek comment on today’s proposed rules and these preliminary conclusions. 48. While today’s proposed rules would mirror in most respects the Commission’s E-Rate rules, we propose some deviations from those rules. For example, we propose to adopt several rules from the ECF program that are not included in the E-Rate rules. First, we propose to use the shorter timeframe for appealing a decision by USAC or requesting a waiver of the Commission’s rules. Second, we propose that invoices must also be submitted along with the request for reimbursement, as required in the ECF program. We believe that these two deviations from the E-Rate rules will work better for the Pilot program as it is a short-term program, similar to the ECF program. We seek comment on these proposals. We also seek comment on whether any of today’s proposed rules should not be adopted, or adopted in a different form than proposed for logical, policy, administrative, or other reasons. For example, should we allow Pilot participants to select the invoicing mode, as is required in the E-Rate rules? Or should the service provider be required to affirmatively agree to invoice on behalf of the Pilot participant as required in the ECF rules? We tentatively conclude that we should allow Pilot participants to determine which invoicing mode will be used and we seek comment on these questions and tentative conclusion. In providing comments, we request that commenters provide specific cites to relevant provisions of the proposed rules and, if instructive, the E-Rate rules. We also request that commenters describe any proposed rule modifications in detail. We also seek comment on whether we should promulgate any additional new rules, specific to the Pilot program. For example, what rules might we adopt to ensure the collection of data that will aid the Commission in evaluating the effectiveness of various cybersecurity approaches via the Pilot and an application filing window for the selection of Pilot participants? 49. We also propose to create a standardized set of forms for the Pilot as we believe this will both increase administrative efficiency and reduce burdens for the Pilot participants. Our proposal is informed by the Commission’s significant experience creating and employing standardized forms in a number of USF programs, including E-Rate, ECF, and the Connected Care Pilot Program. See, e.g., FCC, Emergency Connectivity Fund, https://www.fcc.gov/emergency-connectivity-fund (last visited Nov. 9, 2023); FCC, Connected Care Pilot Program, https://www.fcc.gov/wireline-competition/telecommunications-access-policy-division/connected-care-pilot-program (last visited Nov. 9, 2023). We seek comment on whether our objectives of administrative efficiency and minimizing Pilot participant burdens would best be met if we leverage the forms used in the Commission’s other USF programs as a starting point for creating forms for the Pilot. Based on our experience with E-Rate and ECF, in particular, we propose to create new forms for the Pilot participants that mirror the E-Rate FCC Form 470: Description of Services Requested and Certification Form; E-Rate/ECF FCC Form 471: Description of Services Ordered and Certification Form; E-Rate/ECF FCC Form 472: Billed Entity Applicant Reimbursement (BEAR) Form; and the E-Rate/ECF FCC Form 474: Service Provider Invoice (SPI) Form. See USAC, Forms, https://www.usac.org/e-rate/resources/forms/ (last visited Nov. 9, 2023). The new Pilot forms would thus allow participants to: (i) request Pilot-eligible services and equipment and open the competitive bidding process among vendors of these services and equipment; (ii) describe services and equipment the participant ordered after competitive bidding and request applicable discounts on the services and equipment; (iii) request reimbursement from USAC for the discounted costs of eligible services and equipment that have been approved by USAC and for which the applicant has received and paid for in full (i.e., BEAR invoicing); and (iv) request reimbursement from USAC for the discounted costs of eligible services and equipment that have been approved by USAC for which the applicant has received and paid the non-discounted portion to the service provider (i.e., SPI invoicing), respectively. We seek comment on our proposal to use these forms for the Pilot. We further propose to create a new Pilot participant application form (Form 484) that will collect the data proposed in paragraph 27 of this Notice. We will still leverage the data available in the E-Rate Productivity Center (EPC) and the ECF Portal to streamline the application process by auto-populating with Pilot applicant data that is already available through the E-Rate and ECF online systems. We seek comment on this proposal. 50. We also seek comment on whether any other new forms, processes, and software systems are needed or would be beneficial for the Pilot and on how these should be structured. For example, can we leverage existing E-Rate or ECF forms, processes, and software systems for the disbursement of funding in the Pilot program? Additionally, can the Pilot incorporate the existing E-Rate or ECF processes and software systems for seeking bids, requesting funding, and requesting disbursements/invoicing? See, e.g., USAC, E-Rate, https://www.usac.org/e-rate/ (last visited June 9, 2023). What challenges or obstacles to using existing E-Rate or ECF forms, processes, and software systems exist, if any, and how can we address them in the Pilot? Can the Pilot leverage existing E-Rate or ECF invoicing procedures, including the program’s associated deadlines for submitting invoices, See USAC, Step 5: Invoicing, https://www.usac.org/e-rate/service-providers/step-5-invoicing/ (last visited Nov. 9, 2023) (describing invoicing procedures and associated deadlines). and what modifications, if any, should be made to these deadlines to better reflect the structure of today’s Pilot program as compared to the E-Rate or ECF programs? For example, how should we define and implement a service delivery date for the Pilot program given its limited three-year duration? We seek detailed comment on these questions. 51. We also seek comment on steps we can take to protect the program integrity of the Pilot and its limited USF funds. Should we apply the E-Rate and/or ECF program integrity rules to the Pilot and, if so, what modifications, if any, should we make to those rules? We propose similar program integrity protections, for example, document retention requirements, audits, site visits, and other methods of review in the Pilot program. We seek comment on these proposals and questions. To further protect program integrity, we also propose that that we apply our existing USF suspension and debarment rules to the Pilot. 47 CFR § 54.8. We additionally note that the Commission is considering whether to update its suspension and debarment rules to provide the Commission with broader and more flexible authority to promptly remove bad actors from participating in USF and other programs in a separate, pending proceeding. See, e.g., Modernizing Suspension and Debarment Rules, GN Docket No. 19-309, Notice of Proposed Rulemaking, 34 FCC Rcd. 11348 (2019). To the extent that this proceeding is resolved and results in final rules prior to or during the duration of the Pilot program, we propose to apply the updated rules to the Pilot program. We believe that the steps outlined here would strike an appropriate balance between encouraging active participation in the Pilot by various schools and libraries and protecting the program integrity of the Pilot and its limited funds. We seek comment on our proposals, including the sufficiency of our legal authority to take our proposed actions, and any additional or alternative steps the Commission should take to safeguard the integrity of the proposed Pilot. F. Legal Authority 52. These proposals would create a Pilot that allows participants to receive universal service support for cybersecurity and advanced firewall services, an expansion of the basic firewall services currently allowed in the E-Rate program. See Modernizing the E-Rate Program for Schools and Libraries, WC Docket No. 13-184, Order, at Appendix B (WCB 2022) (describing E-Rate eligible services for funding year 2023); supra section III.D (proposing additional eligible services for the Pilot program). In the December 2022 Public Notice, we sought comment on whether the Commission had sufficient legal authority for funding advanced firewall services, including pursuant to sections 254(c)(1), (c)(3), (h)(1)(B), and (h)(2) of the Communications Act, and any other legal issues or concerns the Commission should consider based on the proposals. December 2022 Public Notice at *6 (seeking comment on legal authority to initiate a pilot program and make advanced or next-generation firewalls and services eligible). All commenters who opined agreed that the Commission had sufficient legal authority to fund advanced firewall equipment and services. See ALA Comments at 5-6; ALA Reply at 3-4; Cisco Comments at 23-25; CoSN Comments at 16-17; SHLB Coalition Reply at 6. The record thus indicates that the Commission has sufficient legal authority for today’s proposed Pilot. We seek comment on this view and on the other aspects of legal authority raised below. 53. As a preliminary matter, the record to date supports commenters’ views that today’s Pilot, which would use USF funding to support the provision of cybersecurity and advanced firewall services to participating schools and libraries, is consistent with Congress’s view that the USF represents an evolving level of service. 47 U.S.C. § 254(c)(1); CoSN Comments at 16-17; SHLB Coalition Reply at 2 (all stating that expanding E-Rate eligibility as proposed is consistent with Congressional direction pursuant to section 254 of the Communications Act). We find it likely that the results of the Pilot would inform potential future actions that the Commission take to further its obligation to “establish periodically” universal service rules that “tak[e] into account advances in telecommunications and information technologies and services.” 47 U.S.C. § 254(c)(1); CoSN Comments at 16-17 (citing 47 U.S.C. § 254(c)(1)). The utility and necessity of the proposed new services, including cybersecurity and advanced firewall services, reflects ongoing advances in networks and the associated threats that schools’ and libraries’ broadband networks face today compared to in years past. We seek comments on these views. 54. The record supports commenters’ view that the Commission has legal basis for today’s proposed Pilot pursuant to section 254(h)(2)(A) of the Communications Act “to enhance, to the extent technically feasible and economically reasonable, access to advanced telecommunications and information services for all public and nonprofit elementary and secondary school classrooms . . . and libraries . . .” based on two distinct views. 47 U.S.C. § 254(h)(2)(A); ALA Comments at 5; Cisco Comments, at 24; CoSN Comments at 16-17. First, the proposed Pilot could make a number of new services, including, for example, advanced and next-generation firewalls, VPNs, intrusion detection and prevention protection, DNS security, and/or DDoS protection, directly available to participants. Each of these services is itself an “advanced telecommunications” and/or “information service” as each filters the information permitted to influence and affect participants’ telecommunications networks. ALA Comments at 5; CoSN Comments at 16-17 (all supporting the eligibility of next-generation firewalls and related services). Second, the proposed new services would remediate many common types of cyber threats that would otherwise dimmish the ability of schools and libraries to use their existing “advanced telecommunications and information services” (e.g., the Internet), thereby meaningfully “enhanc[ing]” their access to the existing services. Cisco Comments at 24 (noting that “cybersecurity protection both enhances and ensures ongoing, usable access to broadband”). We seek comment on these two views. For example, according to the first view, to what extent are the services included in today’s pilot proposal themselves “advanced telecommunications and information services” within the meaning of section 254(h)(2) of the Communications Act? 55. In addition, we believe that by taking steps to deter harm to a school or library network when it is accessed remotely on end-user devices that are owned or leased by the school or library, we are necessarily also ensuring that the same network would remain functional when accessed from within a traditional school classroom or a library’s physical premises. This reflects the fact that students can access school networks before or after school hours to complete homework and other assignments, which often occurs from the home or another location outside of the school premises. Modernizing the E-Rate Program for Schools and Libraries, WC Docket No. 13-184, Declaratory Ruling, FCC 23-84, para. 9 & n.30 (Oct. 25, 2023) (discussing the “need for connectivity to complete homework and other assignments before and after school hours,” and the fact that “teachers are more likely to assign homework that requires access to broadband and/or digital devices outside of schools as grade levels increase”). We seek comment on these views, generally on our legal authority for today’s proposals and on the physical spaces that qualify for eligible equipment and services, whether based on legal authority considerations or other practical concerns. 56. We further believe that today’s Pilot is “technically feasible and economically reasonable” as required by section 254(h)(2)(A) of the Communications Act. While the Commission has previously expressed a view, as recently as 2019, that any expansion of cybersecurity services beyond basic firewall services may be cost-prohibitive to the E-Rate program, Supra para. 12 (summarizing the Commission’s prior determinations to limit the scope of equipment/services eligible for E-Rate). we seek comment on whether changed circumstances in the years since that determination (and earlier Commission determinations) warrant today’s proposed Pilot. As discussed above, the COVID-19 pandemic changed the extent to which K-12 schools and libraries utilize their networks to deliver quality education and learning materials off-premises to students and patrons. Supra para. 6. Moreover, since 2021, Congress, CISA, GAO, and other federal agencies have effectuated legislation or taken other actions to study how the number and variety of cyberthreats facing K-12 schools and libraries continues to evolve. Supra paras. 7-9. We believe that today’s Pilot reflects these actions by seeking to better understand the nature of current cyber threats faced by K-12 schools and libraries participating in the E-Rate program. Moreover, we have designed the Pilot to limit USF expenditures until the nature of any significant threats are understood based on the Pilot’s results in several ways. One, the costs of today’s proposals would fall entirely within a time-limited, three-year USF-supported Pilot program, and not would not draw from the budget for the E-Rate program. Two, the costs would be mitigated because we propose that the participants be required to leverage other free and low-cost K-12 cybersecurity tools and services as part of their cybersecurity action plans. Supra paras. 37-38. We expect to obtain results from the Pilot that will enable us to make informed long-term decisions on whether any of the equipment and services studied in the program would be cost-effective to include in E-Rate, should we address that matter through subsequent Commission action. We expect these steps will lead to lower USF costs as the burden for K-12 cybersecurity protection will not be borne solely by the E-Rate program or other universal service program funding. We seek comment on these views. 57. The record also supports commenters’ view that the Commission has an additional legal basis for structuring the Pilot program as proposed today pursuant to section 254(c)(3) of the Communications Act. This section grants the Commission authority to “designate additional services for [USF] support . . . for schools [and] libraries.” 47 U.S.C. § 254(c)(3) (permitting the Commission to designate additional services for USF support for schools and libraries pursuant to 47 U.S.C. § 254(h)); ALA Comments at 5; Cisco Comments at 24, n.89; CoSN Comments at 16-17. Our proposed Pilot is consistent with this authority, the record indicates, as the Pilot would allow for the designation of additional services that may be used by participating schools and libraries based on USF funding. ALA Comments at 5 (supporting the eligibility of new services pursuant to 47 U.S.C. § 254(c)(3)); see also Cisco Comments at 24, n.89; CoSN Comments at 16-17. Moreover, the results of the proposed Pilot program could be used by the Commission to inform potential further actions to facilitate the availability of these services to schools and libraries based on the USF. We seek comment on these preliminary conclusions. 58. Other Legal Bases and Considerations. We seek comment on the extent to which the cybersecurity and advanced firewall services made available through our proposed Pilot fulfill the Commission’s mandate to make “[q]uality services” available at just, reasonable, and affordable rates. 47 U.S.C. § 254(b)(1). Does ensuring that E-Rate-funded networks are able to implement strong and up-to-date cybersecurity measures, through the services funded through this Pilot program, further this statutory goal and, if so, how does ensuring the protection and privacy of school and library networks contribute to the provision of “[q]uality services”? 59. The record to date indicates that the statutory bases identified above, taken collectively or individually, provide sufficient authority for our proposals. We seek comment on this view. We also seek comment on any other sources of legal authority, or constraints on such authority, that could bear on or otherwise impact today’s proposals. For example, does the Commission have bases for our proposals based on its authority to set discounted rates for certain services provided to schools and libraries pursuant to section 254(h)(1)(B) of the Communications Act? See Cisco Comments at 24; CoSN Comments 16-17 (all noting legal authority for today’s proposal based on section 254(h)(1)(B) of the Communications Act). Relatedly, do the services made eligible in today’s Pilot fall within the scope of services that telecommunications carriers can be required to provide pursuant to this statute? 60. Limits and Restrictions. We further seek comment on any other limits and restrictions that we should place on recipients of Pilot funds to remain within the statutory authority identified above and on any other legal requirements that apply to the Commission’s implementation of the proposed Pilot program. For example, should recipients of Pilot funds be barred from selling, reselling, or otherwise transferring the services that they receive using funds provided for by the Pilot program? See 47 U.S.C. § 254(h)(3). We propose to apply the Secure and Trusted Communications Networks Act of 2021 Secure and Trusted Communications Networks Act of 2019, Pub. L. No. 116-124, 134 Stat. 158 (2020) (codified as amended at 47 U.S.C. §§ 1601–1609) (Secure Networks Act). to Pilot participants by prohibiting these participants from using any funding obtained through the program to purchase, rent, lease, or otherwise obtain any of the equipment or services on the Commission’s Covered List or to maintain any of the equipment or services on the Covered List that was previously purchased, rented, leased, or otherwise obtained. We seek comment on this proposal and on whether there are any other restrictions or requirements that we should place on recipients of Pilot funds based on the Secure Networks Act and/or other related concerns related to supply chain security. Should Pilot participants be required to refund the USF any unused money, including if they withdraw from the Pilot program? 61. The Children’s Internet Protection Act. We also seek comment on the applicability of the Children’s Internet Protection Act (CIPA) to the Pilot program and USF-funded cybersecurity and advanced firewall services for schools and libraries. Congress enacted CIPA to protect children from exposure to harmful material while accessing the Internet from a school or library. See S. Rep. No. 106-141, at 1 (1999), https://www.congress.gov/106/crpt/srpt141/CRPT-106srpt141.pdf (“The purpose of the bill is to protect America’s children from exposure to obscene material, child pornography, or other material deemed inappropriate for minors while accessing the Internet from a school or library receiving Federal Universal Service assistance for provisions of Internet access, Internet service, or internal connection.”). In enacting CIPA, Congress was particularly concerned with protecting children from exposure to material that was obscene, child pornography, or otherwise inappropriate for minors (i.e., harmful content). Id. CIPA prohibits certain schools and libraries from receiving funding under section 254(h)(1)(B) of the Communications Act for Internet access, Internet service, or internal connections, unless they comply with specific Internet safety requirements. Congress passed CIPA as part of a major spending bill in December 2000, and the President signed the bill into law on December 21, 2000. Children’s Internet Protection Act, H.R. 4577, Pub. L. No. 106-554, 106th Cong., tit. XVII, § 1701-1703, 1711-1712, 1721 (2000) (enacted), available at https://www.congress.gov/106/plaws/publ554/PLAW-106publ554.pdf. CIPA is codified at section 254(h)(5)-(6), and section 254(l) of the Communications Act of 1934, as amended. 47 U.S.C. § 254(h)(5)-(6), (l). CIPA requires each covered school and library to certify that the school or library is: (1) “enforcing a policy of Internet safety that includes the operation of a technology protection measure with respect to any of its computers with Internet access that protects against access [by both adults and minors] through such computers” to visual depictions that are (i) obscene; (ii) child pornography; or, (iii) with respect to use of the computers by minors, harmful to minors; and (2) “enforcing the operation of such technology protection measure during any use of such computers” by minors and adults. 47 U.S.C. § 254(h)(5)(B)(i),(ii) and (C)(i),(ii), (h)(6)(B)(i)(ii) and (C)(i)(ii), and (l); 47 CFR § 54.520(c)(1)(i), (c)(2)(i); see also Federal-State Joint Board on Universal Service; Children’s Internet Protection Act, CC Docket No. 96-45, Report and Order, 16 FCC Rcd 8182, 8184, n.5 (2001); Schools and Libraries Universal Service Support Mechanism, A National Broadband Plan for Our Future, CC Docket No. 02-6, GN Docket No. 09-51, Report and Order, 26 FCC Rcd 11819, 11829, para. 23 (2011) (2011 CIPA Order). Specifically, CIPA applies to schools and libraries “having computers with Internet access,” 47 U.S.C. § 254(h)(5)(A)(i), (h)(6)(A)(i). and requires each such school or library to certify that it is enforcing a policy of Internet safety that includes the operation of a technology protection measure “with respect to any of its computers with Internet access.” 47 U.S.C. § 254(h)(5)(B)(i) and (C)(i), (h)(6)(B)(i) and (C)(i). Schools, but not libraries, must also monitor the online activities of minors and provide education about appropriate online behavior, including warnings against cyberbullying. 2011 CIPA Order, 26 FCC Rcd at 11821, para. 5. 62. In the Emergency Connectivity Fund Report and Order, the Commission found that receipt of ECF- or E-Rate-funds for recurring Internet access, Internet services, or internal connections (if any) triggers CIPA compliance when used with any school- or library-owned computer, even if used off-premises. See Establishing the Emergency Connectivity Fund to Close the Homework Gap, WC Docket No. 21-93, Report and Order, 36 FCC Rcd 8696, 8746-49, paras. 108-14 (2021) (Emergency Connectivity Fund Report and Order) (discussing the applicability of CIPA and rejecting the suggestion that CIPA applicability is limited to applicant-owned computers within a school or library building); see also FCC, Emergency Connectivity Fund FAQs: FAQ 10.1, https://www.fcc.gov/emergency-connectivity-fund-faqs (last visited Nov. 9, 2023) (“CIPA requirements apply only to school- or library-owned computers (e.g., tablet computers and laptop computers) when the school or library receives (1) ECF or E-Rate support for internet access, internet services or network equipment for internet access or internet service that will be used by any school- or library-owned computers; or (2) E-Rate support for internal connections or network equipment for internal connections that will be used by any school- or library-owned computers.”). On the other hand, the Commission determined that CIPA does not apply to the use of any third-party-owned device, even if that device is connecting to a school’s or library’s E-Rate- or ECF-funded Internet access or Internet service. Id. We seek comment on what impact the Commission’s interpretation of CIPA in the Emergency Connectivity Fund Report and Order has on the Pilot or USF-funded cybersecurity and advanced firewall services. 63. At the time of CIPA’s enactment, schools and libraries primarily owned one or two stationary computer terminals that were used solely on-premises. See AGiRepair, The Evolution of Technology in the Classroom (Mar. 15, 2021), https://agirepair.com/evolution-of-technology-in-the-classroom/ (explaining that by 1994, most schools had at least one PC in the classroom). Today, it is commonplace for students, school staff, and library patrons to carry Internet-enabled devices onto school or library premises and for schools and libraries to allow third-party-owned devices access to their Internet and broadband networks. Gary Ackerman, A Brief History of Computers in Schools (Nov. 11, 2019), https://hackscience.education/2019/11/11/a-brief-history-of-computers-in-schools/ (“As we approach the third decade of the 21st century, students in the United States, and other industrialized nations, attend schools in which computers abound. The machines may be desktop, laptop, tablet, or handheld models that are owned by and maintained by the school, or the devices may be owned by students and brought to school for educational (or distracting) purposes.”). See also ALA Policy Perspectives, Keeping Communities Connected—Library Broadband Services During the COVID-19 Pandemic at 2 (2022), https://www.ala.org/advocacy/sites/ala.org.advocacy/files/content/telecom/broadband/Keeping_Communities_Connected_030722.pdf (observing that “[t]he country’s nearly 17,000 public libraries offer no-fee internet access, Wi-Fi, and devices, such as computers and tablets”). We invite comment on the scope of the Commission’s authority to impose CIPA requirements on third-party devices that may connect with school- or library-owned broadband networks as part of this Pilot program or school- and library-owned broadband networks funded with USF support, and whether the imposition of such requirements would be appropriate. Similarly, we invite comment on whether the requirements of CIPA should apply to USF-funded cybersecurity and advanced firewall services (e.g., cybersecurity software) if placed on third-party owned devices that connect to a school- or library-owned broadband network. 64. Finally, we acknowledge there are privacy concerns related to certain CIPA requirements, particularly as it relates to students’ and library patrons’ data that is often subject to various federal and/or state privacy laws. We seek comment on these privacy issues and any privacy concerns commenters may have about the application of CIPA to this Pilot program or USF-funded cybersecurity and advanced firewall services for schools and libraries. G. Promoting Digital Equity and Inclusion 65. The Commission, as part of its continuing effort to advance digital equity for all, Section 1 of the Communications Act of 1934, as amended, provides that the FCC “regulat[es] interstate and foreign commerce in communication by wire and radio so as to make [such service] available, so far as possible, to all the people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex.” 47 U.S.C. § 151. including people of color, persons with disabilities, persons who live in rural or Tribal areas, and others who are or have been historically underserved, marginalized, or adversely affected by persistent poverty or inequality, invites comment on any equity-related considerations The term “equity” is used here consistent with Executive Order 13985 as the consistent and systematic fair, just, and impartial treatment of all individuals, including individuals who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality. See Exec. Order No. 13985, 86 Fed. Reg. 7009, Executive Order on Advancing Racial Equity and Support for Underserved Communities Through the Federal Government (Jan. 20, 2021). and benefits (if any) that may be associated with the proposals and issues discussed herein. Specifically, we seek comment on how our proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well the scope of the Commission’s relevant legal authority. IV. PROCEDURAL MATTERS 66. Regulatory Flexibility Act. The Regulatory Flexibility Act of 1980, as amended (RFA), 5 U.S.C. §§ 601–612. The RFA has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemakings, unless the agency certifies that “the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities.” 5 U.S.C. § 605(b). Accordingly, we have prepared an Initial Regulatory Flexibility Analysis (IRFA) concerning the possible impact of potential rule and/or policy changes contained in this Notice of Proposed Rulemaking on small entities. The IRFA is set forth in the Appendix B. Written public comments are requested on the IRFA. Comments must be filed by the deadlines for comments on the NPRM indicated on the first page of this document and must have a separate and distinct heading designating them as responses to the IRFA. 67. Paperwork Reduction Act. This document contains proposed new or modified information collection requirements. The Commission, as part of its continuing effort to reduce paperwork burdens, invites the general public and the Office of Management and Budget (OMB) to comment on the information collection requirements contained in this document, as required by the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. § 3506(c)(4), we seek specific comment on how we might further reduce the information collection burden for small business concerns with fewer than 25 employees. 68. Ex Parte Rules – Permit but Disclose. Pursuant to section 1.1200(a) of the Commission's rules, 47 CFR § 1.1200(a). this Notice of Proposed Rulemaking shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission's ex parte rules. 47 CFR § 1.1200 et seq. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter's written comments, memoranda, or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g.,.doc,.xml,.ppt, searchable.pdf). Participants in this proceeding should familiarize themselves with the Commission's ex parte rules. 69. Providing Accountability Through Transparency Act. Consistent with the Providing Accountability Through Transparency Act, Public Law 118-9, a summary of this document will be available on https://www.fcc.gov/proposed-rulemakings. 70. Comment Period and Filing Procedures. Pursuant to sections 1.415 and 1.419 of the Commission’s rules, 47 CFR §§ 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. All filings must refer to WC Docket No. 23-234. · Electronic filers: Comments may be filed electronically using the Internet by accessing the Commission’s Electronic Comment Filing System (ECFS): https://www.fcc.gov/ecfs. See Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121 (1998). · Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing. · Filings can be sent by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail. All filings must be addressed to the Commission’s Secretary, Office of the Secretary, Federal Communications Commission. · Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701. · U.S. Postal Service first-class, Express, and Priority mail must be addressed to 45 L Street, N.E., Washington DC 20554. · Effective March 19, 2020, and until further notice, the Commission no longer accepts any hand or messenger delivered filings. This is a temporary measure taken to help protect the health and safety of individuals, and to mitigate the transmission of COVID-19. See FCC Announces Closure of FCC Headquarters Open Window and Change in Hand-Delivery Policy, Public Notice, DA 20-304 (Mar. 19, 2020), https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy. In the event that the Commission announces the lifting of COVID-19 restrictions, a filing window will be opened at the Commission’s office located at 9050 Junction Drive, Annapolis Junction, Maryland 20701. FCC, How to File Paper Documents with the FCC, https://www.fcc.gov/reports-research/guides/how-file-paper-documents-fcc (last visited Nov. 9, 2023). 71. People with Disabilities: To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an e-mail to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530. 72. Availability of Documents: Comments, reply comments, and ex parte submissions will be publicly available online via ECFS. Documents will generally be available electronically in ASCII, Microsoft Word, and/or Adobe Acrobat. 73. Further Information. For further information, contact Joseph Schlingbaum of the Telecommunications Access Policy Division, Wireline Competition Bureau at Joseph.Schlingbaum@fcc.gov or (202) 418-1500. For information regarding the PRA information collection requirements contained in this Notice of Proposed Rulemaking, contact Nicole Ongele, Office of Managing Director, at Nicole.Ongele@fcc.gov or (202) 418-2991. V. ORDERING CLAUSES 74. Accordingly, IT IS ORDERED that, pursuant to the authority found in sections 1 through 4, 201 through 202, 254, 303(r), and 403 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151 through 154, 201 through 202, 254, 303(r), and 403, this Notice of Proposed Rulemaking IS ADOPTED. 75. IT IS FURTHER ORDERED that the Commission’s Office of the Secretary, Reference Information Center, SHALL SEND a copy of this Notice of Proposed Rulemaking, including the Initial Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration. FEDERAL COMMUNICATIONS COMMISSION Marlene H. Dortch Secretary 2 APPENDIX A Proposed Rules For the reasons discussed in the preamble, the Federal Communications Commission proposes to amend part 54 of Title 47 of the Code of Federal Regulations as follows: PART 54 – UNIVERSAL SERVICE The authority for part 54 continues to read as follows: Authority: 47 U.S.C. 151, 154(i), 155, 201, 205, 214, 219, 220, 229, 254, 303, 403, 1004, 1302, 1601-1609, and 1752. 1. Add subpart T to read as follows: Subpart T -- Schools and Libraries Cybersecurity Pilot Program § 54.2000 Terms and Definitions. Administrator. The term “Administrator” means the Universal Service Administrative Company. Billed Entity. A “billed entity” is the entity that remits payment to service providers for services rendered to eligible schools, libraries, or consortia of eligible schools and libraries. Commission. The term “Commission” means the Federal Communications Commission. Connected device. The term “connected device” means a laptop or desktop computer, or a tablet. Consortium. A “consortium” is any local, Tribal, statewide, regional, or interstate cooperative association of schools and/or libraries eligible for Schools and Libraries Cybersecurity Pilot Program support that seeks competitive bids for eligible services or funding for eligible services on behalf of some or all of its members. A consortium may also include health care providers eligible under subpart G of this part, and public sector (governmental) entities, including, but not limited to, state colleges and state universities, state educational broadcasters, counties, and municipalities, although such entities are not eligible for support. Cyber incident. An occurrence that actually or potentially results in adverse consequences to (adverse effects on) (poses a threat to) an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences. Cyber threat. A circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society. Cyberattack. An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity. Doxing. The act of compiling or publishing personal information about an individual on the Internet, typically with malicious intent. Educational Purposes. For purposes of this subpart, activities that are integral, immediate, and proximate to the education of students, or in the case of libraries, integral, immediate and proximate to the provision of library services to library patrons, qualify as “educational purposes.” Elementary School. An “elementary school” means an elementary school as defined in 20 U.S.C. 7801(18), a non-profit institutional day or residential school, including a public elementary charter school, that provides elementary education, as determined under state law. Library. A “library includes: (1) A public library; (2) A public elementary school or secondary school library; (3) A Tribal library; (4) An academic library; (5) A research library, which for the purpose of this section means a library that: (i) Makes publicly available library services and materials suitable for scholarly research and not otherwise available to the public; and (ii) Is not an integral part of an institution of higher education; and (6) A private library, but only if the state in which such private library is located determines that the library should be considered a library for the purposes of this definition. Library consortium. A “library consortium” is any local, statewide, Tribal, regional, or interstate cooperative association of libraries that provides for the systematic and effective coordination of the resources of schools, and public, academic, and special libraries and information centers, for improving services to the clientele of such libraries. For the purposes of these rules, references to library will also refer to library consortium. National School Lunch Program. The “National School Lunch Program” is a program administered by the U.S. Department of Agriculture and state agencies that provides free or reduced price lunches to economically disadvantaged children. A child whose family income is between 130 percent and 185 percent of applicable family size income levels contained in the nonfarm poverty guidelines prescribed by the Office of Management and Budget is eligible for a reduced price lunch. A child whose family income is 130 percent or less of applicable family size income levels contained in the nonfarm income poverty guidelines prescribed by the Office of Management and Budget is eligible for a free lunch. Pre-discount price. The “pre-discount price” means, in this subpart, the price the service provider agrees to accept as total payment for its eligible services and equipment. This amount is the sum of the amount the service provider expects to receive from the eligible school, library, or consortium, and the amount it expects to receive as reimbursement from the Schools and Libraries Cybersecurity Pilot Program for the discounts provided under this subpart. Secondary school. A “secondary school” means a secondary school as defined in 20 U.S.C. 7801(38), a non-profit institutional day or residential school, including a public secondary charter school, that provides secondary education, as determined under state law except that the term does not include any education beyond grade 12. Tribal. An entity is “Tribal” if it is a school operated by or receiving funding from the Bureau of Indian Education (BIE), or if it is a school or library operated by any Tribe, Band, Nation, or other organized group or community, including any Alaska native village, regional corporation, or village corporation (as defined in, or established pursuant to, the Alaska Native Claims Settlement Act (43 U.S.C. § 1601 et seq.) that is recognized as eligible for the special programs and services provided by the United States to Indians because of their status as Indians. § 54.2001 Budget and Duration. (a) Budget. The Schools and Libraries Cybersecurity Pilot Program shall have a cap of $200 million. (b) Duration. The Schools and Libraries Cybersecurity Pilot Program shall make funding available to applicants selected to participate (in accordance with § 54.2004 of this subpart) for three years, to begin when selected applicants are first eligible to receive eligible services and equipment. § 54.2002 Eligible Recipients. (a) Schools. (1) Only schools meeting the statutory definition of “elementary school” or “secondary school” as defined in § 54.2000, and not excluded under paragraphs (a)(2) or (3) of this section shall be eligible for discounts on supported services under this subpart. (2) Schools operating as for-profit businesses shall not be eligible for discounts under this subpart. (3) Schools with endowments exceeding $50,000,000 shall not be eligible for discounts under this subpart. (b) Libraries. (1) Only libraries eligible for assistance from a State library administrative agency under the Library Services and Technology Act (20 U.S.C. 9122) and not excluded under paragraph (b)(2) or (3) of this section shall be eligible for discounts under this subpart. (2) Except as provided in paragraph (b)(4) of this section, a library's eligibility for universal service funding shall depend on its funding as an independent entity. Only libraries whose budgets are completely separate from any schools (including, but not limited to, elementary and secondary schools, colleges, and universities) shall be eligible for discounts as libraries under this subpart. (3) Libraries operating as for-profit businesses shall not be eligible for discounts under this subpart. (4) A Tribal college or university library that serves as a public library by having dedicated library staff, regular hours, and a collection available for public use in its community shall be eligible for discounts under this subpart. (c) Consortia. (1) For consortia, discounts under this subpart shall apply only to the portion of eligible services and equipment used by eligible schools and libraries. (2) Service providers shall keep and retain records of rates charged to and discounts allowed for eligible schools and libraries on their own or as part of a consortium. Such records shall be available for public inspection. § 54.2003 Eligible Services and Equipment. (a) Supported services and equipment. All supported services and equipment are listed in the Schools and Libraries Cybersecurity Pilot Program Eligible Services List, as updated in accordance with paragraph (b) of this section. The services and equipment in this subpart will be supported in addition to all reasonable charges that are incurred by taking such services, such as state and federal taxes. Charges for termination liability, penalty surcharges, and other charges not included in the cost of taking such service shall not be covered by the universal service support mechanisms. (b) Schools and Libraries Cybersecurity Pilot Program Eligible Services List Process. The Wireline Competition Bureau will release a list of services and equipment eligible for support prior to the opening of the Pilot Participant Selection Application Window, in accordance with § 54.2004. The Wireline Competition Bureau may, as needed, amend the list of services and equipment eligible for support prior to the termination of the Schools and Libraries Cybersecurity Pilot Program, in accordance with § 54.2001. (c) Prohibition on resale. Eligible supported services and equipment shall not be sold, resold, or transferred in consideration of money or any other thing of value, until the conclusion of the Schools and Libraries Cybersecurity Pilot Program, as provided in § 54.2001. § 54.2004 Application for Selection in the Pilot Program. (a) The Wireline Competition Bureau will announce the opening of the Pilot Participant Selection Application Window. Eligible recipients shall have no less than sixty (60) days to submit a Pilot Participant Selection Application, following the opening of the window. (b) The Wireline Competition Bureau shall announce those eligible applicants that have been selected to participate in the Schools and Libraries Cybersecurity Pilot Program no more than ninety (90) days following the close of the Pilot Participant Selection Application Window. (c) Filing the FCC Form 484. (1) Schools, libraries, or consortia of eligible schools and libraries to participate in the Schools and Libraries Cybersecurity Pilot Program shall submit a completed FCC Form 484 to the Administrator. The FCC Form 484 shall include, at a minimum, the following information: (i) Name, address, and contact information for the interested school or library. For school district or library system applicants, the name and address of all schools/libraries within the district/system, and contact information for the district or library system. (ii) Description of the Pilot participant’s current cybersecurity posture, including how the school or library is currently managing and addressing its current cybersecurity risks through prevention and mitigation tactics, and a description of its proposed advanced cybersecurity action plan should it be selected to participate in the Pilot program and receive funding. (iii) Description of any incident of unauthorized operational access to the Pilot participant’s systems or equipment within a year of the date of its application; the date range of the incident; a description of the unauthorized access; the impact to the K-12 school or library; a description of the vulnerabilities exploited and the techniques used to access the system; and identifying information for each actor responsible for the incident, if known. (iv) Description of the Pilot participant’s proposed use of the funding to protect its broadband network and data and improve its ability to address K-12 cyber concerns. This description should include the types of services and equipment the participant plans to purchase and the plan for implementing and using the Pilot-funded equipment and services to protect its broadband network and data, and improve its ability to manage and address its cybersecurity risks. (v) Description of how the Pilot participant plans to collect and track its progress in implementing the Pilot-funded equipment and services into its cybersecurity action plan, and for providing the required Pilot data, including the impact the funding had on its initial cybersecurity action plan that pre-dated implementation of Pilot efforts. (2) The FCC Form 484 shall be signed by a person authorized to submit the application to participate in the Pilot Program on behalf of the eligible school, library, or consortium, including such entities. (i) A person authorized to submit the application on behalf of the entities listed on an FCC Form 484 shall certify under oath that: (A) “I am authorized to submit this application on behalf of the above-named applicant and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this form has been examined and is true, accurate, and complete. I acknowledge that any false statement on this application or on other documents submitted by this applicant can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).” (B) “In addition to the foregoing, this applicant is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities.” (C) “By signing this application, I certify that the information contained in this form is true, complete, and accurate, and the projected expenditures, disbursements, and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, sections 1001, 286–287 and 1341 and Title 31, sections 3729–3730 and 3801–3812).” (D) The applicant recognizes that it may be audited pursuant to its application, that it will retain for ten years any and all records related to its application, and that, if audited, it shall produce such records at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector General, or any local, state, or federal agency with jurisdiction over the entity. (E) I certify and acknowledge, under penalty of perjury, that if selected, the schools, libraries, and consortia in the application will comply with all applicable Schools and Libraries Cybersecurity Pilot Program rules, requirements, and procedures, including the competitive bidding rules and the requirement to pay the required share of the costs for the supported items from eligible sources. (F) I certify under penalty of perjury, to the best of my knowledge, that the schools, libraries, and consortia listed in the application are not already receiving or expecting to receive other funding (from any source, federal, state, Tribal, local, private, or other) that will pay for the same equipment and/or services for which I am seeking funding under the Schools and Libraries Cybersecurity Pilot Program. (G) I certify under penalty of perjury, to the best of my knowledge, that all requested equipment and services funded by the Schools and Libraries Cybersecurity Pilot Program will be used for their intended purposes. § 54.2005 Competitive Bidding Requirements. (a) All applicants selected to participate in the Schools and Libraries Cybersecurity Pilot Program must conduct a fair and open competitive bidding process, consistent with all requirements set forth in this subpart. (b) Competitive bid requirements. All applicants selected to participate in the Schools and Libraries Cybersecurity Pilot Program shall seek competitive bids, pursuant to the requirements established in this subpart, for all services and equipment eligible for support under § 54.2003. These competitive bid requirements apply in addition to any applicable state, Tribal, and local competitive bid requirements and are not intended to preempt such state, Tribal, or local requirements. (c) Posting of FCC Form 470. (1) An applicant selected to participate in the Schools and Libraries Cybersecurity Pilot Program shall submit a completed FCC Form 470 to the Administrator to initiate the competitive bidding process. The FCC Form 470 shall include, at a minimum, the following information: (i) A list of specified services and/or equipment for which the school, library, or consortium requests bids; (ii) Sufficient information to enable bidders to reasonably determine the needs of the applicant; (2) The FCC Form 470 shall be signed by a person authorized to request bids for eligible services and equipment for the eligible school, library, or consortium, including such entities, and shall include that person’s certification under penalty of perjury that: (i) “I am authorized to submit this application on behalf of the above-named applicant and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this form has been examined and is true, accurate, and complete. I acknowledge that any false statement on this application or on other documents submitted by this applicant can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).” (ii) “In addition to the foregoing, this applicant is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities.” (iii) “By signing this application, I certify that the information contained in this form is true, complete, and accurate. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, sections 1001, 286–287 and 1341 and Title 31, sections 3729–3730 and 3801–3812).” (iv) The schools meet the statutory definition of “elementary school” or “secondary school” as defined in § 54.2000, do not operate as for-profit businesses, and do not have endowments exceeding $50 million. (v) Libraries or library consortia eligible for assistance from a State library administrative agency under the Library Services and Technology Act of 1996 do not operate as for-profit businesses and, except for the limited case of Tribal college or university libraries, have budgets that are completely separate from any school (including, but not limited to, elementary and secondary schools, colleges, and universities). (vi) The services and/or equipment that the school, library, or consortium purchases at discounts will not be sold, resold, or transferred in consideration for money or any other thing of value, except as allowed by § 54.2003(c). (vii) The school(s) and/or library(ies) listed on this FCC Form 470 will not accept anything of value, other than services and equipment sought by means of this form, from the service provider, or any representatives or agent thereof or any consultant in connection with this request for services. (viii) All bids submitted for eligible equipment and services will be carefully considered, with price being the primary factor, and the bid selected will be for the most cost-effective service offering consistent with paragraph (e) of this section. (ix) The school, library, or consortium acknowledges that support under this Pilot Program is conditional upon the school(s) and/or library(ies) securing access, separately or through this program, to all of the resources necessary to effectively use the requested equipment and services. The school, library, or consortium recognizes that some of the aforementioned resources are not eligible for support and certifies that it has considered what financial resources should be available to cover these costs. (x) I will retain required documents for a period of at least 10 years (or whatever retention period is required by the rules in effect at the time of this certification) after the later of the last day of the applicable funding year or the service delivery deadline for the associated funding request. I also certify that I will retain all documents necessary to demonstrate compliance with the statute and Commission rules regarding the form for, receipt of, and delivery of equipment and services receiving Schools and Libraries Cybersecurity Pilot Program discounts. I acknowledge that I may be audited pursuant to participation in the Pilot program. (xi) I certify that the equipment and services that the applicant purchases at discounts will be used primarily for educational purposes and will not be sold, resold or transferred in consideration for money or any other thing of value, except as permitted by the Commission’s rules at 47 C.F.R. § 54.2003(c). Additionally, I certify that the entity or entities listed on this form will not accept anything of value or a promise of anything of value, other than services and equipment sought by means of this form, from the service provider, or any representative or agent thereof or any consultant in connection with this request for services. (xii) I acknowledge that support under this Pilot program is conditional upon the school(s) and/or library(ies) I represent securing access, separately or through this program, to all of the resources necessary to effectively use the requested equipment and services. I recognize that some of the aforementioned resources are not eligible for support. I certify that I have considered what financial resources should be available to cover these costs. (xiii) I certify that I have reviewed all applicable Commission, state, Tribal, and local procurement/competitive bidding requirements and that the applicant will comply with all applicable requirements. (3) The Administrator shall post each FCC Form 470 that it receives from an applicant selected to participate in the Schools and Libraries Cybersecurity Pilot Program on its Web site designated for this purpose. (4) After posting on the Administrator’s Web site an FCC Form 470, the Administrator shall send confirmation of the posting to the applicant requesting services and/or equipment. The applicant shall then wait at least four weeks from the date on which its description of services and/or equipment is posted on the Administrator's Web site before making commitments with the selected providers of services and/or equipment. The confirmation from the Administrator shall include the date after which the applicant may sign a contract with its chosen provider(s). (d) Gift Restrictions. (1) Subject to paragraphs (d)(3) and (4) of this section, an applicant selected to participate in the Schools and Libraries Cybersecurity Pilot Program may not directly or indirectly solicit or accept any gift, gratuity, favor, entertainment, loan, or any other thing of value from a service provider participating in or seeking to participate in the Schools and Libraries Cybersecurity Pilot Program. No such service provider shall offer or provide any such gift, gratuity, favor, entertainment, loan, or other thing of value except as otherwise provided herein. Modest refreshments not offered as part of a meal, items with little intrinsic value intended solely for presentation, and items worth $20 or less, including meals, may be offered or provided, and accepted by any individuals or entities subject to this rule, if the value of these items received by any individual does not exceed $50 from any one service provider per year. The $50 amount for any service provider shall be calculated as the aggregate value of all gifts provided during a year by the individuals specified in paragraph (d)(2)(ii) of this section. (2) For purposes of this paragraph: (i) The term “applicant selected to participate in the Schools and Libraries Cybersecurity Pilot Program” includes all individuals who are on the governing boards of such entities (such as members of a school committee), and all employees, officers, representatives, agents, consultants, or independent contractors of such entities involved on behalf of such school, library, or consortium with the Schools and Libraries Cybersecurity Pilot Program, including individuals who prepare, approve, sign, or submit applications, or other forms related to the Schools and Libraries Cybersecurity Pilot Program, or who prepare bids, communicate, or work with Schools and Libraries Cybersecurity Pilot Program service providers, Schools and Libraries Cybersecurity Pilot Program consultants, or with the Administrator, as well as any staff of such entities responsible for monitoring compliance with the Schools and Libraries Cybersecurity Pilot Program; and (ii) The term “service provider” includes all individuals who are on the governing boards of such an entity (such as members of the board of directors), and all employees, officers, representatives, agents, consultants, or independent contractors of such entities. (3) The restrictions set forth in this paragraph shall not be applicable to the provision of any gift, gratuity, favor, entertainment, loan, or any other thing of value, to the extent given to a family member or a friend working for an eligible school, library, or consortium that includes an eligible school or library, provided that such transactions: (i) Are motivated solely by a personal relationship, (ii) Are not rooted in any service provider business activities or any other business relationship with any such applicant selected to participate in the Schools and Libraries Cybersecurity Pilot Program, and (iii) Are provided using only the donor's personal funds that will not be reimbursed through any employment or business relationship. (4) Any service provider may make charitable donations to an applicant selected to participate in the Schools and Libraries Cybersecurity Pilot Program in the support of its programs as long as such contributions are not directly or indirectly related to Schools and Libraries Cybersecurity Pilot Program procurement activities or decisions and are not given by service providers to circumvent competitive bidding and other Schools and Libraries Cybersecurity Pilot Program rules. (e) Selecting a provider of eligible services. In selecting a provider of eligible services and equipment, applicants selected to participate in the Schools and Libraries Cybersecurity Pilot Program shall carefully consider all bids submitted and must select the most cost-effective service offering. In determining which service offering is the most cost-effective, entities may consider relevant factors other than the pre-discount prices submitted by providers, but price should be the primary factor considered. § 54.2006 Requests for Funding. (a) Filing of the FCC Form 471. (1) An applicant selected to participate in the Schools and Libraries Cybersecurity Pilot Program shall, upon entering into a signed contract or other legally binding agreement for eligible services and equipment, submit a completed FCC Form 471 to the Administrator. (2) The FCC Form 471 shall be signed by the person authorized to order eligible services or equipment for the applicant selected to participate in the Schools and Libraries Cybersecurity Pilot Program and shall include that person’s certification under penalty of perjury that: (i) “I am authorized to submit this application on behalf of the above-named applicant and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this application has been examined and is true, accurate, and complete. I acknowledge that any false statement on this application or on other documents submitted by this applicant can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).” (ii) “In addition to the foregoing, this applicant is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities.” (iii) “By signing this application, I certify that the information contained in this application is true, complete, and accurate, and the projected expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, sections 1001, 286–287 and 1341 and Title 31, sections 3729–3730 and 3801–3812).” (iv) The school meets the statutory definition of “elementary school” or “secondary school” as defined in § 54.2000, does not operate as for-profit businesses, and does not have endowments exceeding $50 million. (v) The library or library consortia is eligible for assistance from a State library administrative agency under the Library Services and Technology Act, does not operate as for-profit businesses and, except for the limited case of Tribal college and university libraries, have budgets that are completely separate from any school (including, but not limited to, elementary and secondary schools, colleges, and universities). (vi) The school, library, or consortium listed on the FCC Form 471 application will pay the non-discount portion of the costs of the eligible services and/or equipment to the Service Provider(s). (vii) The school, library, or consortium listed on the FCC Form 471 application has conducted a fair and open competitive bidding process and has complied with all applicable state, Tribal, or local laws regarding procurement of the equipment and services for which support is being sought. (viii) An FCC Form 470 was posted and that any related request for proposals (RFP) was made available for at least 28 days before considering all bids received and selecting a service provider. The school, library, or consortium listed on the FCC Form 471 application carefully considered all bids submitted and selected the most-cost-effective bid in accordance with § 54.2005(e), with price being the primary factor considered. (ix) The school, library, or consortium listed on the FCC Form 471 application is only seeking support for eligible services and/or equipment. (x) The school, library, or consortia is not seeking Schools and Libraries Cybersecurity Pilot Program support or reimbursement for eligible services and/or equipment that have been purchased and reimbursed in full with other federal funding, targeted state funding, other external sources of targeted funding or targeted gifts, or are eligible for discounts from the schools and libraries universal service support mechanism or another universal service support mechanism. (xi) The services and equipment the school, library, or consortium purchases using Schools and Libraries Cybersecurity Pilot Program support will be used primarily for educational purposes and will not be sold, resold, or transferred in consideration for money or any other thing of value, except as allowed by § 54.2003(c). (xii) The school, library, or consortium will create and maintain an equipment and service inventory as required by § 54.2010(a). (xiii) The school, library, or consortium has complied with all program rules and acknowledges that failure to do so may result in denial of funding and/or recovery of funding. (xiv) The school, library, or consortium acknowledges that it may be audited pursuant to its application, that it will retain for ten years any and all records related to its application, and that, if audited, it shall produce such records at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector General, or any local, state, or federal agency with jurisdiction over the entity. (xv) No kickbacks, as defined in 41 U.S.C. 8701, were paid to or received by the applicant from anyone in connection with the Schools and Libraries Cybersecurity Pilot Program or the schools and libraries universal service support mechanism. (xvi) The school, library, or consortium acknowledges that Commission rules provide that persons who have been convicted of criminal violations or held civilly liable for certain acts arising from their participation in the universal service support mechanisms are subject to suspension and debarment from the program. The school, library, or consortium will institute reasonable measures to be informed, and will notify the Administrator should it be informed or become aware that any of the entities listed on this application, or any person associated in any way with this entity and/or the entities listed on this application, is convicted of a criminal violation or held civilly liable for acts arising from their participation in the universal service support mechanisms. (b) Service or Equipment Substitution. (1) A request by a Schools and Libraries Cybersecurity Pilot Program applicant to substitute service or equipment for one identified in its FCC Form 471 must be in writing and certified under perjury by an authorized person. (2) The Administrator shall approve such written request where: (i) The service or equipment has the same functionality; (ii) The substitution does not violate any contract provisions or state, Tribal, or local procurement laws; and (iii) The Schools and Libraries Cybersecurity Pilot Program participant certifies that the requested change is within the scope of the controlling FCC Form 470. (3) In the event that a service or equipment substitution results in a change in the pre-discount price for the supported service or equipment, support shall be based on the lower of either the pre-discount price of the service or equipment for which support was originally requested or the pre-discount price of the new, substituted service or equipment after the Administrator has approved a written request for the substitution. (c) Mixed eligibility services and equipment. If the service or equipment includes both ineligible and eligible components, the applicant selected to participate in the Schools and Libraries Cybersecurity Pilot Program must remove the cost of the ineligible components of the service or equipment from the request for funding submitted to the Administrator. § 54.2007 Discounts. (a) Discount mechanism. Discounts for applicants selected to participate in the Schools and Libraries Cybersecurity Pilot Program shall be set as a percentage discount from the pre-discount price. (b) Discount percentages. The discounts available to applicants selected to participate in the Schools and Libraries Cybersecurity Pilot Program shall range from 20 percent to 90 percent of the pre-discount price for all eligible services provided by eligible providers. The discounts available shall be determined by indicators of poverty and urban/rurality designation. (1) For schools and school districts, the level of poverty shall be based on the percentage of the student enrollment that is eligible for a free or reduced price lunch under the National School Lunch Program or a federally-approved alternative mechanism. School districts shall divide the total number of students eligible for the National School Lunch Program within the school district by the total number of students within the school district to arrive at a percentage of students eligible. This percentage rate shall then be applied to the discount matrix to set a discount rate for the supported services purchased by all schools within the school district. Independent charter schools, private schools, and other eligible educational facilities should calculate a single discount percentage rate based on the total number of students under the control of the central administrative agency. (2) For libraries and library consortia, the level of poverty shall be based on the percentage of the student enrollment that is eligible for a free or reduced price lunch under the National School Lunch Program or a federally-approved alternative mechanism in the public school district in which they are located and should use that school district's level of poverty to determine their discount rate when applying as a library system or as an individual library outlet within that system. When a library system has branches or outlets in more than one public school district, that library system and all library outlets within that system should use the address of the central outlet or main administrative office to determine which school district the library system is in, and should use that school district's level of poverty to determine its discount rate when applying as a library system or as one or more library outlets. If the library is not in a school district, then its level of poverty shall be based on an average of the percentage of students eligible for the National School Lunch Program in each of the school districts that children living in the library's location attend. (3) The Administrator shall classify schools and libraries as “urban” or “rural” according to the following designations. The Administrator shall designate a school or library as “urban” if the school or library is located in an urbanized area or urban cluster area with a population equal to or greater than 25,000, as determined by the most recent rural-urban classification by the Bureau of the Census. The Administrator shall designate all other schools and libraries as “rural.” (4) Applicants selected to participate in the Schools and Libraries Cybersecurity Pilot Program shall calculate discounts on supported services described in § 54.2003 that are shared by two or more of their schools, libraries, or consortia members by calculating an average discount based on the applicable district-wide discounts of all member schools and libraries. School districts, library systems, or other billed entities shall ensure that, for each year in which an eligible school or library is included for purposes of calculating the aggregate discount rate, that eligible school or library shall receive a proportionate share of the shared services for which support is sought. For schools, the discount shall be a simple average of the applicable district-wide percentage for all schools sharing a portion of the shared services. For libraries, the average discount shall be a simple average of the applicable discounts to which the libraries sharing a portion of the shared services are entitled. (c) Discount matrix. Except as provided in paragraph (d), the Administrator shall use the following matrix to set the discount rate to be applied to eligible services purchased by applicants selected to participate in the Schools and Libraries Cybersecurity Pilot Program based on the applicant’s level of poverty and location in an “urban” or “rural” area. Discount Level % of students eligible for National School Lunch Program Urban Discount Rural Discount < 1 20 25 1-19 40 50 20-34 50 60 35-49 60 70 50-74 80 80 75-100 85 85 (d) Tribal Library Discount Level. For the costs of eligible cybersecurity equipment and services, Tribal libraries at the highest discount level shall receive a 90 percent discount. (e) Payment for the non-discount portion of supported services and equipment. An applicant selected to participate in the Schools and Libraries Cybersecurity Pilot Program must pay the non-discount portion of costs for the services or equipment purchased with universal service discounts, and may not receive rebates for services or equipment purchased with universal service discounts. For the purpose of this rule, the provision, by the provider of a supported service or equipment, of free services or equipment unrelated to the supported service or equipment constitutes a rebate of the non-discount portion of the costs for the supported services and equipment. § 54.2008 Requests for Reimbursement. (a) Submission of request for reimbursement (FCC Form 472 or FCC Form 474). Reimbursement for the costs associated with eligible services and equipment shall be provided directly to an applicant selected to participate, or service provider, seeking reimbursement from the Schools and Libraries Cybersecurity Pilot Program upon submission and approval of a completed FCC Form 472 (Billed Entity Applicant Reimbursement Form) or a completed FCC Form 474 (Service Provider Invoice) to the Administrator. (1) The FCC Form 472 shall be signed by the person authorized to submit requests for reimbursement for the eligible school, library, or consortium and shall include that person’s certification under penalty of perjury that: (i) “I am authorized to submit this request for reimbursement on behalf of the above-named school, library or consortium and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this request for reimbursement has been examined and is true, accurate, and complete. I acknowledge that any false statement on this request for reimbursement or on other documents submitted by this school, library, or consortium can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).” (ii) “In addition to the foregoing, the school, library or consortium is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities.” (iii) “By signing this request for reimbursement, I certify that the information contained in this request for reimbursement is true, complete, and accurate, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, sections 1001, 286–287 and 1341 and Title 31, sections 3729–3730 and 3801–3812).” (iv) The funds sought in the request for reimbursement are for eligible services and/or equipment that were purchased in accordance with the Schools and Libraries Cybersecurity Pilot Program rules and requirements in this subpart and received by the school, library, or consortium. The equipment and/or services being requested for reimbursement were determined to be eligible and approved by the Administrator. (v) The non-discounted share of costs amount(s) were billed by the Service Provider and paid for by the Billed Entity Applicant on behalf of the eligible schools, libraries, and consortia of those entities. (vi) The school, library, or consortium is not seeking Schools and Libraries Cybersecurity Pilot Program reimbursement for eligible services and/or equipment that have been purchased and reimbursed in full with other federal, targeted state funding, other external sources of targeted funding, or targeted gifts or are eligible for discounts from the schools and libraries universal service support mechanism or other universal service support mechanisms. (vii) The school, library, or consortium acknowledges that it must submit invoices detailing the items purchased along with the submission of its request for reimbursement as required by § 54.2008(b). (viii) The equipment and/or services the school, library, or consortium purchased will not be sold, resold, or transferred in consideration for money or any other thing of value, except as allowed by § 54.2003(c). (ix) The school, library, or consortium acknowledges that it may be subject to an audit, inspection or investigation pursuant to its request for reimbursement, that it will retain for ten years any and all records related to its request for reimbursement, and will make such records and equipment purchased with Schools and Libraries Cybersecurity Pilot Program reimbursement available at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector General, or any local, state, or federal agency with jurisdiction over the entity. (x) No kickbacks, as defined in 41 U.S.C. 8701, were paid to or received by the applicant from anyone in connection with the Schools and Libraries Cybersecurity Pilot Program or the schools and libraries universal service support mechanism. (xi) The school, library, or consortium acknowledges that Commission rules provide that persons who have been convicted of criminal violations or held civilly liable for certain acts arising from their participation in the universal service support mechanisms are subject to suspension and debarment from the program. The school, library, or consortium will institute reasonable measures to be informed, and will notify the Administrator should it be informed or become aware that any of the entities listed on this application, or any person associated in any way with this entity and/or the entities listed on this application, is convicted of a criminal violation or held civilly liable for acts arising from their participation in the universal service support mechanisms. (xii) No universal service support has been or will be used to purchase, obtain, maintain, improve, modify, or otherwise support any equipment or services produced or provided by any company designated by the Federal Communications Commission as posing a national security threat to the integrity of communications networks or the communications supply chain since the effective date of the designations. (xiii) No federal subsidy made available through a program administered by the Commission that provides funds to be used for the capital expenditures necessary for the provision of advanced communications services has been or will be used to purchase, rent, lease, or otherwise obtain, any covered communications equipment or service, or maintain, any covered communications equipment or service, or maintain any covered communications equipment or service previously purchased, rented, leased, or otherwise obtained, as required by § 54.10. (2) The FCC Form 474 shall be signed by the person authorized to submit requests for reimbursement for the service provider and shall include that person’s certification under penalty of perjury that: (i) “I am authorized to submit this request for reimbursement on behalf of the above-named Service Provider and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this request for reimbursement has been examined and is true, accurate and complete. I acknowledge that any false statement on this request for reimbursement or on other documents submitted by this Service Provider can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502, 503(b)), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001), or can lead to liability under the False Claims Act (31 U.S.C. 3729–3733).” (ii) “In addition to the foregoing, the Service Provider is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities.” (iii) “By signing this request for reimbursement, I certify that the information contained in this request for reimbursement is true, complete, and accurate, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, sections 1001, 286–287 and 1341 and Title 31, sections 3729–3730 and 3801–3812).” (iv) The funds sought in the request for reimbursement are for eligible services and/or equipment that were purchased or ordered in accordance with the Schools and Libraries Cybersecurity Pilot Program rules and requirements in this subpart and received by the school, library, or consortium. (v) The Service Provider is not seeking Schools and Libraries Cybersecurity Pilot Program reimbursement for eligible equipment and/or services for which it has already been paid. (vi) The Service Provider certifies that the school’s, library’s, or consortium’s non-discount portion of costs for the eligible equipment and services has not been waived, paid, or promised to be paid by this Service Provider. The Service Provider acknowledges that the provision of a supported service or free services or equipment unrelated to the supported equipment or services constitutes a rebate of the non-discount portion of the costs as stated in § 54.2007(e). (vii) The Service Provider acknowledges that it must submit invoices detailing the items purchased along with the submission of its request for reimbursement as required by § 54.2008(b). (viii) The Service Provider certifies that it is compliant with the Commission’s rules and orders regarding gifts and this Service Provider has not directly or indirectly offered or provided any gifts, gratuities, favors, entertainment, loans, or any other thing of value to any eligible school, library, or consortium, except as provided for at § 54.2005(d). (ix) The service provider acknowledges that it may be subject to an audit, inspection, or investigation pursuant to its request for reimbursement, that it will retain for ten years any and all records related to its request for reimbursement, and will make such records and equipment purchased with Schools and Libraries Cybersecurity Pilot Program reimbursement available at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector General, or any local, state, or federal agency with jurisdiction over the entity. (x) No kickbacks, as defined in 41 U.S.C. 8701, were paid by the Service Provider to anyone in connection with the Schools and Libraries Cybersecurity Pilot Program or the schools and libraries universal service support mechanism. (xi) The Service Provider is not debarred or suspended from any Federal programs, including the universal service support mechanisms. (xii) No universal service support has been or will be used to purchase, obtain, maintain, improve, modify, or otherwise support any equipment or services produced or provided by any company designated by the Federal Communications Commission as posing a national security threat to the integrity of communications networks or the communications supply chain since the effective date of the designations. (xiii) No federal subsidy made available through a program administered by the Commission that provides funds to be used for the capital expenditures necessary for the provision of advanced communications services has been or will be used to purchase, rent, lease, or otherwise obtain, any covered communications equipment or service, or maintain any covered communications equipment or service, or maintain any covered communications equipment or service previously purchased, rented, leased, or otherwise obtained, as required by § 54.10. (b) Required documentation. Along with the submission of a completed FCC Form 472 or a completed FCC Form 474, an applicant selected to participate, or service provider, seeking reimbursement from the Schools and Libraries Cybersecurity Pilot Program must submit invoices detailing the items purchased to the Administrator at the time the FCC Form 472 or FCC Form 474 is submitted. (c) Reimbursement and invoice processing. The Administrator shall accept and review requests for reimbursement and invoices subject to the invoice filing deadlines provided in paragraph (d) of this section. (d) Invoice filing deadline. Invoices must be submitted to the Administrator within ninety (90) days after the last date to receive service, in accordance with § 54.2001. (e) Invoice deadline extensions. In advance of the deadline calculated pursuant to paragraph (c) of this section, billed entities or service providers may request a one-time extension of the invoice filing deadline. The Administrator shall grant a ninety (90) day extension of the invoice filing deadline, if the request is timely filed. § 54.2009 Audits, Inspections, and Investigations. (a) Audits. Schools and Libraries Cybersecurity Pilot Program participants shall be subject to audits and other investigations to evaluate their compliance with the statutory and regulatory requirements for the Schools and Libraries Cybersecurity Pilot Program, including those requirements pertaining to what services and equipment are purchased, what services and equipment are delivered, and how services and equipment are being used. (b) Inspections and investigations. Schools and Libraries Cybersecurity Pilot Program participants shall permit any representative (including any auditor) appointed by a state education department, the Administrator, the Commission, its Office of Inspector General, or any local, state or federal agency with jurisdiction over the entity to enter their premises to conduct inspections for compliance with the statutory and regulatory requirements in this subpart of the Schools and Libraries Cybersecurity Pilot Program. § 54.2010 Records Retention and Production. (a) Recordkeeping requirements. All Schools and Libraries Cybersecurity Pilot Program participants shall retain all documents related to their participation in the program sufficient to demonstrate compliance with all program rules for at least 10 years from the last date of service or delivery of equipment. All Schools and Libraries Cybersecurity Pilot Program applicants shall maintain asset and inventory records of services and equipment purchased sufficient to verify the actual location of such services and equipment for a period of 10 years after purchase. (b) Production of records. All Schools and Libraries Cybersecurity Pilot Program participants shall present such records upon request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission, its Office of the Inspector General, or any local, state or federal agency with jurisdiction over the entity. § 54.2011 Administrator of the Schools and Libraries Cybersecurity Pilot Program. (a) The Universal Service Administrative Company is appointed the permanent Administrator of the Schools and Libraries Cybersecurity Pilot Program and shall be responsible for administering the Schools and Libraries Cybersecurity Pilot Program. (b) The Administrator shall be responsible for reviewing applications for funding, recommending funding commitments, issuing funding commitment decision letters, reviewing invoices and recommending payment of funds, as well as other administration related duties. (c) The Administrator may not make policy, interpret unclear provisions of statutes or rules, or interpret the intent of Congress. Where statutes or the Commission's rules in this subpart are unclear, or do not address a particular situation, the Administrator shall seek guidance from the Commission. (d) The Administrator may advocate positions before the Commission and its staff only on administrative matters relating to the Schools and Libraries Cybersecurity Pilot Program. (e) The Administrator shall create and maintain a website, as defined in § 54.5, on which applications for services will be posted on behalf of schools and libraries. (f) The Administrator shall provide the Commission full access to the data collected pursuant to the administration of the Schools and Libraries Cybersecurity Pilot Program. (g) The administrator shall provide performance measurements pertaining to the Schools and Libraries Cybersecurity Pilot Program as requested by the Commission by order or otherwise. (h) The Administrator shall have the authority to audit all entities reporting data to the Administrator regarding the Schools and Libraries Cybersecurity Pilot Program. When the Commission, the Administrator, or any independent auditor hired by the Commission or the Administrator, conducts audits of the participants of the Schools and Libraries Cybersecurity Pilot Program, such audits shall be conducted in accordance with generally accepted government auditing standards. (i) The Administrator shall establish procedures to verify support amounts provided by the Schools and Libraries Cybersecurity Pilot Program and may suspend or delay support amounts if a party fails to provide adequate verification of the support amounts provided upon reasonable request from the Administrator or the Commission. (j) The Administrator shall make available to whomever the Commission directs, free of charge, any and all intellectual property, including, but not limited to, all records and information generated by or resulting from its role in administering the support mechanisms, if its participation in administering the Schools and Libraries Cybersecurity Pilot Program ends. If its participation in administering the Schools and Libraries Cybersecurity Pilot Program ends, the Administrator shall be subject to close-out audits at the end of its term. § 55.2012 Appeal and waiver requests. (a) Parties permitted to seek review of Administrator decision. (1) Any party aggrieved by an action taken by the Administrator must first seek review from the Administrator. (2) Any party aggrieved by an action taken by the Administrator under paragraph (a)(1) of this section may seek review from the Federal Communications Commission as set forth in paragraph (b) of this section. (3) Parties seeking waivers of the Commission’s rules in this subpart shall seek relief directly from the Commission and need not first file an action for review from the Administrator under paragraph (a)(1) of this section. (b) Filing deadlines. (1) An affected party requesting review of a decision by the Administrator pursuant to paragraph (a)(1) of this section shall file such a request within thirty (30) days from the date the Administrator issues a decision. (2) An affected party requesting review by the Commission pursuant to paragraph (a)(2) of this section of a decision by the Administrator under paragraph (a)(1) of this section shall file such a request with the Commission within thirty (30) days from the date of the Administrator's decision. Further, any party seeking a waiver of the Commission’s rules under paragraph (a)(3) of this section shall file a request for such waiver within thirty (30) days from the date of the Administrator's initial decision, or, if an appeal is filed under paragraph (a)(1) of this section, within thirty days from the date of the Administrator's decision resolving such an appeal. (3) Parties shall adhere to the time periods for filing oppositions and replies set forth in § 1.45 of this chapter. (c) General filing requirements. (1) Except as otherwise provided in this section, a request for review of an Administrator decision by the Commission shall be filed with the Commission's Office of the Secretary in accordance with the general requirements set forth in part 1 of this chapter. The request for review shall be captioned “In the Matter of Request for Review by (name of party seeking review) of Decision of Universal Service Administrator” and shall reference the applicable docket numbers. (2) A request for review pursuant to paragraphs (a)(1) through (3) of this section shall contain: (i) A statement setting forth the party's interest in the matter presented for review; (ii) A full statement of relevant, material facts with supporting affidavits and documentation; (iii) The question presented for review, with reference, where appropriate, to the relevant Commission rule, Commission order, or statutory provision; and; (iv) A statement of the relief sought and the relevant statutory or regulatory provision pursuant to which such relief is sought. (3) A copy of a request for review that is submitted to the Commission shall be served on the Administrator consistent with the requirement for service of documents set forth in § 1.47 of this chapter. (4) If a request for review filed pursuant to paragraphs (a)(1) through (3) of this section alleges prohibitive conduct on the part of a third party, such request for review shall be served on the third party consistent with the requirement for service of documents set forth in § 1.47 of this chapter. The third party may file a response to the request for review. Any response filed by the third party shall adhere to the time period for filing replies set forth in § 1.45 of this chapter and the requirement for service of documents set forth in § 1.47 of this chapter. (d) Review by the Wireline Competition Bureau or the Commission. (1) Requests for review of Administrator decisions that are submitted to the Federal Communications Commission shall be considered and acted upon by the Wireline Competition Bureau; provided, however, that requests for review that raise novel questions of fact, law, or policy shall be considered by the full Commission. (2) An affected party may seek review of a decision issued under delegated authority by the Wireline Competition Bureau pursuant to the rules set forth in part 1 of this chapter. (e) Standard of review. (1) The Wireline Competition Bureau shall conduct de novo review of requests for review of decisions issued by the Administrator. (2) The Commission shall conduct de novo review of requests for review of decisions by the Administrator that involve novel questions of fact, law, or policy; provided, however, that the Commission shall not conduct de novo review of decisions issued by the Wireline Competition Bureau under delegated authority. (f) Schools and Libraries Cybersecurity Pilot Program disbursements during pendency of a request for review and Administrator decision. When a party has sought review of an Administrator decision under paragraphs (a)(1) through (3) of this section, the Commission shall not process a request for the reimbursement of eligible equipment and/or services until a final decision has been issued either by the Administrator or by the Commission; provided, however, that the Commission may authorize disbursement of funds for any amount of support that is not the subject of an appeal. APPENDIX B Initial Regulatory Flexibility Analysis 1. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), 5 U.S.C. § 603. The RFA, 5 U.S.C. §§ 601–612, has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). the Commission has prepared this Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on a substantial number of small entities by the policies and rules proposed in the Schools and Libraries Cybersecurity Pilot Program, Notice of Proposed Rulemaking (NPRM). Written public comments are requested on this IRFA. Comments must be identified as responses to the IRFA and must be filed by the deadlines for comments in the NPRM. The Commission will send a copy of the NPRM, including this IRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA). 5 U.S.C. § 603(a). In addition, the NPRM and IRFA (or summaries thereof) will be published in the Federal Register. Id. A. Need for, and Objectives of, the Proposed Rules 2. In the NPRM, we propose a Schools and Libraries Cybersecurity Pilot Program (Pilot) that will assist us in obtaining valuable data to satisfy the requirements to support cybersecurity and advanced firewall services for eligible schools and libraries. We seek comment on what role the federal Universal Service Fund (USF) could play in helping K-12 schools and libraries protect their E-Rate-funded broadband networks and data, and improve their ability to defend against the cyber threats and attacks that have increasingly been targeting K-12 schools and libraries, and their students’ and patrons’ data. We expect that the data gathered from the Pilot will help us understand whether and how USF funds could best be leveraged to help address the K-12 cybersecurity challenges, and the data and information collected through this Pilot may also aid in the consideration of broader reforms—whether statutory changes or updates to rules—that could support helping schools and libraries address the significant K-12 cybersecurity concerns that impact them. 3. First, we propose three goals for the proposed Pilot and that the Pilot be for a three-year term with a budget of $200 million. These include: (1) improving the security and protection of E-Rate-funded broadband networks and user data; (2) measuring the costs associated with cybersecurity and advanced firewall services, and the amount of funding needed to adequately meet the demand for these services if extended to all E-Rate participants; and (3) evaluating how to leverage other federal K-12 cybersecurity tools and resources to help schools and libraries effectively address their cybersecurity-related needs. Second, we propose that interested K-12 schools and libraries apply to be Pilot participants by submitting an application containing information about how they would use the Pilot funds and providing information about their proposed cybersecurity and advanced firewall projects. We also seek comment on the application process and the objective criteria for selecting participants among the applications we receive for the Pilot. In addition, we propose that Pilot participants be permitted to seek funding for services and equipment to be provided over the proposed three-year term. We further propose that Pilot participants submit a single application with their funding requests that will be relied on for the proposed three-year term of the Pilot and be supported by multi-year contract(s)/agreement(s) for this term. We also seek comment on the extent to which E-Rate or ECF program processes, rules, and forms could be leveraged and adopted to apply to the proposed Pilot, including, for example, competitive bidding, funding disbursement, invoicing, document retention, and auditing processes, rules, and forms. Finally, we seek comment on the Commission’s legal authority to establish the proposed Pilot and the applicability of the Children’s Internet Protection Act (CIPA) to the proposed Pilot. We believe that, through the Pilot, we will be able to fund a range of diverse cybersecurity projects for K-12 schools and libraries throughout the country. B. Legal Basis 4. The proposed actions are authorized pursuant to sections 1 through 4, 201 through 202, 254, 303(r), and 403 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151 through 154, 201 through 202, 254, 303(r), and 403. C. Description and Estimate of the Number of Small Entities to Which the Proposed Rules will Apply 5. The RFA directs agencies to provide a description of and, where feasible, an estimate of the number of small entities that may be affected by the proposed rules, if adopted. See id. § 603(b)(3). The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” Id. § 601(6). In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act. Id. § 601(3) (incorporating by reference the definition of “small business concern” in 15 U.S.C. § 632(a)). Pursuant to the RFA, the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.” 5 U.S.C. § 601(3). A small business concern is one that: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA). Small Business Act, 15 U.S.C. § 632. 6. Small Businesses, Small Organizations, Small Governmental Jurisdictions. Our actions, over time, may affect small entities that are not easily categorized at present. We therefore describe, at the outset, three broad groups of small entities that could be directly affected herein. See 5 U.S.C. § 601(3)-(6). First, while there are industry specific size standards for small businesses that are used in the regulatory flexibility analysis, according to data from the Small Business Administration’s (SBA) Office of Advocacy, in general a small business is an independent business having fewer than 500 employees. See SBA, Office of Advocacy, “What’s New With Small Business?,” https://advocacy.sba.gov/wp-content/uploads/2023/03/Whats-New-Infographic-March-2023-508c.pdf (Mar. 2023). These types of small businesses represent 99.9% of all businesses in the United States, which translates to 33.2 million businesses. Id. 7. Next, the type of small entity described as a “small organization” is generally “any not-for-profit enterprise which is independently owned and operated and is not dominant in its field.” 5 U.S.C. § 601(4). The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 or less to delineate its annual electronic filing requirements for small exempt organizations. The IRS benchmark is similar to the population of less than 50,000 benchmark in 5 U.S.C § 601(5) that is used to define a small governmental jurisdiction. Therefore, the IRS benchmark has been used to estimate the number of small organizations in this small entity description. See Annual Electronic Filing Requirement for Small Exempt Organizations – Form 990-N (e-Postcard), “Who must file,” https://www.irs.gov/charities-non-profits/annual-electronic-filing-requirement-for-small-exempt-organizations-form-990-n-e-postcard. We note that the IRS data does not provide information on whether a small exempt organization is independently owned and operated or dominant in its field. Nationwide, for tax year 2020, there were approximately 447,689 small exempt organizations in the U.S. reporting revenues of $50,000 or less according to the registration and tax data for exempt organizations available from the IRS. See Exempt Organizations Business Master File Extract (EO BMF), “CSV Files by Region,” https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf. The IRS Exempt Organization Business Master File (EO BMF) Extract provides information on all registered tax-exempt/non-profit organizations. The data utilized for purposes of this description was extracted from the IRS EO BMF data for businesses for the tax year 2020 with revenue less than or equal to $50,000 for Region 1-Northeast Area (58,577), Region 2-Mid-Atlantic and Great Lakes Areas (175,272), and Region 3-Gulf Coast and Pacific Coast Areas (213,840) that includes the continental U.S., Alaska, and Hawaii. This data does not include information for Puerto Rico. 8. Finally, the small entity described as a “small governmental jurisdiction” is defined generally as “governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.” 5 U.S.C. § 601(5). U.S. Census Bureau data from the 2017 Census of Governments 13 U.S.C. § 161. The Census of Governments survey is conducted every five (5) years compiling data for years ending with “2” and “7”. See also Census of Governments, https://www.census.gov/programs-surveys/cog/about.html. indicate there were 90,075 local governmental jurisdictions consisting of general purpose governments and special purpose governments in the United States. U.S. Census Bureau, 2017 Census of Governments – Organization Table 2. Local Governments by Type and State: 2017 [CG1700ORG02], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. Local governmental jurisdictions are made up of general purpose governments (county, municipal and town or township) and special purpose governments (special districts and independent school districts). See also tbl.2. CG1700ORG02 Table Notes_Local Governments by Type and State_2017. Of this number, there were 36,931 general purpose governments (county, Id. at tbl.5. County Governments by Population-Size Group and State: 2017 [CG1700ORG05], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 2,105 county governments with populations less than 50,000. This category does not include subcounty (municipal and township) governments. municipal, and town or township Id. at tbl.6. Subcounty General-Purpose Governments by Population-Size Group and State: 2017 [CG1700ORG06], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 18,729 municipal and 16,097 town and township governments with populations less than 50,000. ) with populations of less than 50,000 and 12,040 special purpose governments—independent school districts Id. at tbl.10. Elementary and Secondary School Systems by Enrollment-Size Group and State: 2017 [CG1700ORG10], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 12,040 independent school districts with enrollment populations less than 50,000. See also tbl.4. Special-Purpose Local Governments by State Census Years 1942 to 2017 [CG1700ORG04], CG1700ORG04 Table Notes_Special Purpose Local Governments by State_Census Years 1942 to 2017. with enrollment populations of less than 50,000. While the special purpose governments category also includes local special district governments, the 2017 Census of Governments data does not provide data aggregated based on population size for the special purpose governments category. Therefore, only data from independent school districts is included in the special purpose governments category. Accordingly, based on the 2017 U.S. Census of Governments data, we estimate that at least 48,971 entities fall into the category of “small governmental jurisdictions.” This total is derived from the sum of the number of general purpose governments (county, municipal and town or township) with populations of less than 50,000 (36,931) and the number of special purpose governments - independent school districts with enrollment populations of less than 50,000 (12,040), from the 2017 Census of Governments - Organizations tbls.5, 6 & 10. 1. Schools and Libraries 9. Schools. The closest applicable industry with a SBA small business size standard is Elementary and Secondary Schools. See U.S. Census Bureau, 2017 NAICS Definition, “611110 Elementary and Secondary Schools,” https://www.census.gov/naics/?input=611110&year=2017&details=611110. This industry comprises establishments primarily engaged in furnishing academic courses and associated course work that comprise a basic preparatory education. Id. A basic preparatory education ordinarily constitutes kindergarten through 12th grade. Id. The SBA small business size standard for Elementary and Secondary Schools classifies firms with annual receipts of $17.5 million or less as small. 13 CFR § 121.201, NAICS Code 611110. The Commission does not have a size standard for small entities specifically applicable to schools. The Commission’s definition of schools pertains to entities that participate in the E-Rate program which provides support to eligible schools and libraries to enable access to high-speed Internet access and telecommunications services at affordable rates, consistent with the objectives of universal service. 10. Under the E-Rate program, an elementary school is generally defined as “a non-profit institutional day or residential school that provides elementary education, as determined under state law.” 47 CFR § 54.500. A secondary school is generally defined as “a non-profit institutional day or residential school that provides secondary education, as determined under state law,” and not offering education beyond grade 12. Id. For-profit schools, and schools with endowments in excess of $50,000,000, are not eligible to receive discounts under the E-Rate program. 47 CFR § 54.501. In calendar year 2017, the E-Rate program provided funding to approximately 104,722 schools throughout the U.S. and its territories. See Universal Service Administrative Company, Annual Report, at 7, https://www.usac.org/wp-content/uploads/about/documents/annual-reports/2017/USAC-2017-Annual-Report.pdf. While we do not have financial information that would allow us to estimate the number of schools that would qualify as small entities under SBA’s small business size standard, because of the nature of these entities we estimate that the majority of schools in the E-Rate program are small entities under the SBA size standard. 11. Libraries. The closest applicable industry with a SBA small business size standard is Libraries and Archives. See U.S. Census Bureau, 2017 NAICS Definition, “519120 Libraries and Archives,” https://www.census.gov/naics/?input=519120&year=2017&details=519120. This industry comprises establishments primarily engaged in providing library or archive services. Id. These establishments are engaged in maintaining collections of documents (e.g., books, journals, newspapers, and music) and facilitating the use of such documents (recorded information regardless of its physical form and characteristics) as required to meet the informational, research, educational, or recreational needs of their users. Id. These establishments may also acquire, research, store, preserve, and generally make accessible to the public historical documents, photographs, maps, audio material, audiovisual material, and other archival material of historical interest. Id. All or portions of these collections may be accessible electronically. Id. The SBA small business size standard for Libraries and Archives classifies firms with annual receipts of $18.5 million or less as small. 13 CFR § 121.201, NAICS Code 519120 (as of 10/1/22, NAICS Code 519210). For this industry, U.S. Census Bureau data for 2017 show that there were 1,864 firms that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 519120, https://data.census.gov/cedsci/table?y=2017&n=519120&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of this number, 1,228 firms had revenues of less than $10 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We note that the U.S. Census Bureau withheld publication of the number of firms that operated with sales/value of shipments/revenue in the individual category for less than $100,000, to avoid disclosing data for individual companies (see Cell Notes for the sales/value of shipments/revenue in this category). Therefore, the number of firms with revenue that meet the SBA size standard would be higher than noted herein. We also note that the U.S. Census Bureau economic data includes sales, value of shipments or revenue information reported by firms. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, the majority of firms in this industry can be considered small. 12. The Commission does not have a size standard for small entities specifically applicable to libraries. The Commission’s definition of libraries pertains to entities that participate in the E-Rate program which provides support to eligible schools and libraries to enable access to high-speed Internet access and telecommunications services at affordable rates, consistent with the objectives of universal service. Under the E-Rate program, a library includes “(1) a public library, (2) a public elementary school or secondary school library, (3) a Tribal library, (4) an academic library, (5) a research library . . . and (6) a private library, but only if the state in which such private library is located determines that the library should be considered a library for the purposes of this definition.” 47 CFR § 54.500. For-profit libraries are not eligible to receive discounts under the program, nor are libraries whose budgets are not completely separate from any schools. 47 CFR § 54.501. In calendar year 2017, the E-Rate program provided funding to approximately 11,475 libraries throughout the U.S. and its territories. See Universal Service Administrative Company, Annual Report, at 7, https://www.usac.org/wp-content/uploads/about/documents/annual-reports/2017/USAC-2017-Annual-Report.pdf. While we do not have financial information which would allow us to estimate the number of libraries that would qualify as small entities under SBA’s small business size standard, because of the nature of these entities we estimate that the majority of libraries in the E-Rate program are small entities under the SBA size standard. 2. Telecommunications Service Providers 13. Telecommunications Resellers. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. See U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers,” https://www.census.gov/naics/?input=517911&year=2017&details=517911. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Id. Mobile virtual network operators (MVNOs) are included in this industry. Id. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517911 (as of 10/1/22, NAICS Code 517121). U.S. Census Bureau data for 2017 show that 1,386 firms operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517911, https://data.census.gov/cedsci/table?y=2017&n=517911&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 1,375 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 666 providers that reported they were engaged in the provision of local or toll resale services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 640 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 14. Local Resellers. Neither the Commission nor the SBA have developed a small business size standard specifically for Local Resellers. Telecommunications Resellers is the closest industry with a SBA small business size standard. See U.S. Census Bureau, 2017 NAICS Definition, “517911 Telecommunications Resellers,” https://www.census.gov/naics/?input=517911&year=2017&details=517911. The Telecommunications Resellers industry comprises establishments engaged in purchasing access and network capacity from owners and operators of telecommunications networks and reselling wired and wireless telecommunications services (except satellite) to businesses and households. Id. Establishments in this industry resell telecommunications; they do not operate transmission facilities and infrastructure. Id. Mobile virtual network operators (MVNOs) are included in this industry. Id. The SBA small business size standard for Telecommunications Resellers classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517911 (as of 10/1/22, NAICS Code 517121). U.S. Census Bureau data for 2017 show that 1,386 firms in this industry provided resale services for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517911, https://data.census.gov/cedsci/table?y=2017&n=517911&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 1,375 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 207 providers that reported they were engaged in the provision of local resale services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 202 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 15. Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired communications networks. See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution, and wired broadband Internet services. Id. By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry. Id. Wired Telecommunications Carriers are also referred to as wireline carriers or fixed local service providers. Fixed Local Service Providers include the following types of providers: Incumbent Local Exchange Carriers (ILECs), Competitive Access Providers (CAPs) and Competitive Local Exchange Carriers (CLECs), Cable/Coax CLECs, Interconnected VOIP Providers, Non-Interconnected VOIP Providers, Shared-Tenant Service Providers, Audio Bridge Service Providers, and Other Local Service Providers. Local Resellers fall into another U.S. Census Bureau industry group and therefore data for these providers is not included in this industry. 16. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 4,590 providers that reported they were engaged in the provision of fixed local services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 4,146 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 17. All Other Telecommunications. This industry is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. See U.S. Census Bureau, 2017 NAICS Definition, “517919 All Other Telecommunications,” https://www.census.gov/naics/?input=517919&year=2017&details=517919. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Id. Providers of Internet services (e.g. dial-up ISPs) or VoIP services, via client-supplied telecommunications connections are also included in this industry. Id. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. 13 CFR § 121.201, NAICS Code 517919 (as of 10/1/22, NAICS Code 517810). U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517919, https://data.census.gov/cedsci/table?y=2017&n=517919&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of those firms, 1,039 had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, the Commission estimates that the majority of “All Other Telecommunications” firms can be considered small. 18. Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless Internet access, and wireless video services. Id. The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517312 (as of 10/1/22, NAICS Code 517112). U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2022 Universal Service Monitoring Report, as of December 31, 2021, there were 594 providers that reported they were engaged in the provision of wireless services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2022), https://docs.fcc.gov/public/attachments/DOC-391070A1.pdf. Of these providers, the Commission estimates that 511 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 19. Wireless Carriers and Service Providers. Wireless Telecommunications Carriers (except Satellite) is the closest industry with a SBA small business size standard applicable to these service providers. See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517312 (as of 10/1/22, NAICS Code 517112). U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 797 providers that reported they were engaged in the provision of wireless services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2021), https://docs.fcc.gov/public/attachments/DOC-379181A1.pdf. Of these providers, the Commission estimates that 715 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 3. Internet Service Providers (ISPs) 20. Wired Broadband Internet Access Service Providers (Wired ISPs). Formerly included in the scope of the Internet Service Providers (Broadband), Wired Telecommunications Carriers, and All Other Telecommunications small entity industry descriptions. Providers of wired broadband Internet access service include various types of providers except dial-up Internet access providers. Wireline service that terminates at an end user location or mobile device and enables the end user to receive information from and/or send information to the Internet at information transfer rates exceeding 200 kilobits per second (kbps) in at least one direction is classified as a broadband connection under the Commission’s rules. See 47 CFR § 1.7001(a)(1). Wired broadband Internet services fall in the Wired Telecommunications Carriers industry. See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. The SBA small business size standard for this industry classifies firms having 1,500 or fewer employees as small. 13 CFR § 121.201, NAICS Code 517311 (as of 10/1/22, NAICS Code 517111). U.S. Census Bureau data for 2017 show that there were 3,054 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 21. Additionally, according to Commission data on Internet access services as of December 31, 2018, nationwide there were approximately 2,700 providers of connections over 200 kbps in at least one direction using various wireline technologies. See IAS Status 2018, Fig. 30 (The technologies used by providers include aDSL, sDSL, Other Wireline, Cable Modem and FTTP). Other wireline includes: all copper-wire based technologies other than xDSL (such as Ethernet over copper, T-1/DS-1 and T3/DS-1) as well as power line technologies which are included in this category to maintain the confidentiality of the providers. The Commission does not collect data on the number of employees for providers of these services, therefore, at this time we are not able to estimate the number of providers that would qualify as small under the SBA’s small business size standard. However, in light of the general data on fixed technology service providers in the Commission’s 2022 Communications Marketplace Report, Communications Marketplace Report, GN Docket No. 22-203, 2022 WL 18110553 at 10, paras. 26-27, Figs. II.A.5-7. (2022) (2022 Communications Marketplace Report). we believe that the majority of wireline Internet access service providers can be considered small entities. 22. Wireless Broadband Internet Access Service Providers (Wireless ISPs or WISPs). Formerly included in the scope of the Internet Service Providers (Broadband), Wireless Telecommunications Carriers (except Satellite) and All Other Telecommunications small entity industry descriptions. Providers of wireless broadband Internet access service include fixed and mobile wireless providers. The Commission defines a WISP as “[a] company that provides end-users with wireless access to the Internet[.]” Federal Communications Commission, Internet Access Services: Status as of December 31, 2018 (IAS Status 2018), Industry Analysis Division, Office of Economics & Analytics (September 2020). The report can be accessed at https://www.fcc.gov/economics-analytics/industry-analysis-division/iad-data-statistical-reports. Wireless service that terminates at an end user location or mobile device and enables the end user to receive information from and/or send information to the Internet at information transfer rates exceeding 200 kilobits per second (kbps) in at least one direction is classified as a broadband connection under the Commission’s rules. 47 CFR § 1.7001(a)(1). Neither the SBA nor the Commission have developed a size standard specifically applicable to Wireless Broadband Internet Access Service Providers. The closest applicable industry with an SBA small business size standard is Wireless Telecommunications Carriers (except Satellite). See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. 13 CFR § 121.201, NAICS Code 517312 (as of 10/1/22, NAICS Code 517112). U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 23. Additionally, according to Commission data on Internet access services as of December 31, 2018, nationwide there were approximately 1,209 fixed wireless and 71 mobile wireless providers of connections over 200 kbps in at least one direction. IAS Status 2018, Fig. 30. The Commission does not collect data on the number of employees for providers of these services, therefore, at this time we are not able to estimate the number of providers that would qualify as small under the SBA’s small business size standard. However, based on data in the Commission’s 2022 Communications Marketplace Report on the small number of large mobile wireless nationwide and regional facilities-based providers, the dozens of small regional facilities-based providers and the number of wireless mobile virtual network providers in general, 2022 Communications Marketplace Report, 2022 WL 18110553 at 27, paras. 64-68. as well as on terrestrial fixed wireless broadband providers in general, Id. at 8, para. 22. we believe that the majority of wireless Internet access service providers can be considered small entities. 24. Internet Service Providers (Non-Broadband). Internet access service providers using client-supplied telecommunications connections (e.g., dial-up ISPs) as well as VoIP service providers using client-supplied telecommunications connections fall in the industry classification of All Other Telecommunications. See U.S. Census Bureau, 2017 NAICS Definition, “517919 All Other Telecommunications,” https://www.census.gov/naics/?input=517919&year=2017&details=517919. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. 13 CFR § 121.201, NAICS Code 517919 (as of 10/1/22, NAICS Code 517810). For this industry, U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517919, https://data.census.gov/cedsci/table?y=2017&n=517919&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of those firms, 1,039 had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Consequently, under the SBA size standard a majority of firms in this industry can be considered small. 4. Vendors of Internal Connections 25. Vendors of Infrastructure Development or Network Buildout. Neither the Commission nor the SBA have developed a small business size standard specifically directed toward manufacturers of network facilities. There are two applicable industries in which manufacturers of network facilities could fall and each have different SBA business size standards. The applicable industries are “Radio and Television Broadcasting and Wireless Communications Equipment” See U.S. Census Bureau, 2017 NAICS Definition, “334220 Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing,” https://www.census.gov/naics/?input=334220&year=2017&details=334220. with a SBA small business size standard of 1,250 employees or less, 13 CFR § 121.201, NAICS Code 334220. and “Other Communications Equipment Manufacturing” See U.S. Census Bureau, 2017 NAICS Definition, “334290 Other Communications Equipment Manufacturing,” https://www.census.gov/naics/?input=334290&year=2017&details=334290. with a SBA small business size standard of 750 employees or less.” 13 CFR § 121.201, NAICS Code 334290. U.S. Census Bureau data for 2017 show that for Radio and Television Broadcasting and Wireless Communications Equipment there were 656 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 334220, https://data.census.gov/cedsci/table?y=2017&n=334220&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 624 firms had fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. For Other Communications Equipment Manufacturing, U.S. Census Bureau data for 2017 show that there were 321 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 334290, https://data.census.gov/cedsci/table?y=2017&n=334290&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 310 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, we conclude that the majority of firms in this industry are small. 26. Telephone Apparatus Manufacturing. This industry comprises establishments primarily engaged in manufacturing wire telephone and data communications equipment. See U.S. Census Bureau, 2017 NAICS Definition, “334210 Telephone Apparatus Manufacturing,” https://www.census.gov/naics/?input=334210&year=2017&details=334210. These products may be stand-alone or board-level components of a larger system. Id. Examples of products made by these establishments are central office switching equipment, cordless and wire telephones (except cellular), PBX equipment, telephone answering machines, LAN modems, multi-user modems, and other data communications equipment, such as bridges, routers, and gateways. Id. The SBA small business size standard for Telephone Apparatus Manufacturing classifies businesses having 1,250 or fewer employees as small. 13 CFR § 121.201, NAICS Code 334210. U.S. Census Bureau data for 2017 show that there were 189 firms in this industry that operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 334210, https://data.census.gov/cedsci/table?y=2017&n=334210&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 177 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus, under the SBA size standard, the majority of firms in this industry can be considered small. 5. Other Service Providers 27. Custom Computer Programming Services. This industry is comprised of establishments primarily engaged in writing, modifying, testing, and supporting software to meet the needs of a particular customer. See U.S. Census Bureau, 2017 NAICS Definition, “541511 Custom Computer Programming Services,” https://www.census.gov/naics/?input=541511&year=2017&details=541511. The industry includes firms engaged in applications software programming, computer program or software development, computer programming services, computer software analysis and design services, computer software programming services, computer software support services, and Web (i.e., Internet) page design services. Id. The SBA small business size standard for this industry classifies firms having annual receipts of $30 million or less as small. 13 CFR § 121.201, NAICS Code 541511. According to 2017 U.S. Census Bureau data there were 46,636 firms that operated in this industry for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 541511, https://data.census.gov/cedsci/table?y=2017&n=541511&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of this number, 45,394 firms had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, the Commission concludes that the majority of the businesses engaged in this industry are small. 28. Other Computer Related Services (Except Information Technology Value Added Resellers). This industry comprises establishments primarily engaged in providing computer related services (except custom programming, systems integration design, and facilities management services). See U.S. Census Bureau, 2017 NAICS Definition, “541519 Other Computer Related Services,” https://www.census.gov/naics/?input=541519&year=2017&details=541519. Establishments providing computer disaster recovery services or software installation services are included in this industry. Id. The SBA small business size standard for this industry classifies firms with annual receipts of $30 million or less as small. 13 CFR § 121.201, NAICS Code 541519. The 2017 Economic Census indicates that 6,228 firms in this industry operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 541519, https://data.census.gov/cedsci/table?y=2017&n=541519&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of that number, 6,104 firms had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, we conclude that a majority of firms in this industry are small. 29. Information Technology Value Added Resellers. Information Technology Value Added Resellers (ITVARs) fall with the Other Computer Related Services industry. See U.S. Census Bureau, 2017 NAICS Definition, “541519 Other Computer Related Services,” https://www.census.gov/naics/?input=541519&year=2017&details=541519. ITVARs are a subgroup of this industry which the SBA describes as providing a total solution to information technology acquisitions by providing multi-vendor hardware and software along with significant value added services. See 13 CFR § 121.201, NAICS Code 541519_Except note 18. Significant value added services consist of, but are not limited to, configuration consulting and design, systems integration, installation of multi-vendor computer equipment, customization of hardware or software, training, product technical support, maintenance, and end user support. Id. The SBA small business size standard for ITVARs classifies a business as small if it has 150 or fewer employees. Id. According to U.S. Census Bureau data for 2017, 6,228 firms in this industry operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 541519, https://data.census.gov/cedsci/table?y=2017&n=541519&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 6,086 firms operated with fewer than 100 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Based on this data, the Commission estimates that the majority of information technology value added resellers can be considered small. 30. Software Publishers. This industry comprises establishments primarily engaged in computer software publishing or publishing and reproduction. See U.S. Census Bureau, 2017 NAICS Definition, “511210 Software Publishers,” https://www.census.gov/naics/?input=511210&year=2017&details=511210. Establishments in this industry carry out operations necessary for producing and distributing computer software, such as designing, providing documentation, assisting in installation, and providing support services to software purchasers. Id. These establishments may design, develop, and publish, or publish only. Id. The SBA small business size standard for this industry classifies businesses having annual receipts of $41.5 million or less as small. 13 CFR § 121.201, NAICS Code 511210 (as of 10/1/22, NAICS Code 513210). U.S. Census Bureau data for 2017 indicate that 7,842 firms in this industry operated for the entire year. U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 511210, https://data.census.gov/cedsci/table?y=2017&n=511210&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of this number 7,226 firms had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, we conclude that a majority of firms in this industry are small. D. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities 31. In the NPRM, the Commission seeks comment on a proposed Pilot with a $200 million budget and three-year duration, that would provide support for cybersecurity and advanced firewall services for eligible K-12 schools and libraries. 32. To participate in the Pilot, the NPRM proposes that interested K-12 schools and libraries apply by submitting an application containing information about how they would use the Pilot funds and providing information about their proposed cybersecurity and advanced firewall projects. All eligible schools and libraries that choose to participate may be required to collect and submit data as part of the application process, at regular intervals during the Pilot program and at the end of the Pilot, to the Universal Service Administrative Company (USAC) and the Commission. The collection of this information, which may go beyond that provided in FCC Forms 470 and 471, is necessary to evaluate the impact of the Pilot, including whether the Pilot achieves its goals. This includes the proposed evaluation process, with annual and final progress reports detailing use of funds and effectiveness of the program. It is expected that the benefits of collecting this information will outweigh any potential costs. 33. Application requirements will necessitate that small entities make an assessment of their cybersecurity posture and services needed to address risks, which may require additional staff and/or staff with related expertise. The proposal to incorporate the existing E-Rate forms, processes, and software systems for seeking bids, requesting funding, and requesting disbursement/invoicing into the proposed Pilot may decrease the burden on small entities that are already familiar with these requirements. This may result in proposals from small entities that lessen the economic impact of the Pilot and increase their participation. In contrast, additional protections proposed in the NPRM, such as, document retention requirements, audits, site visits, and other methods of review in the Pilot, may require small entities to incur additional operational costs. 34. The NPRM also proposes that participants be permitted to seek funding for services and equipment to be provided over the proposed three-year term and be supported by multi-year contract(s)/agreement(s) for this term. The NPRM also considers whether to adopt prerequisites for Pilot participants, some of which may require small entities to acquire additional software, equipment, or staffing. For example, the NPRM seeks comment on whether Pilot participants should be limited to those schools and libraries that have already implemented or are in the process of implementing CISA’s K-12 cybersecurity or other cybersecurity recommendations. 35. In assessing the cost of compliance for small entities, at this time the Commission cannot quantify the cost of compliance with any of the proposals that may be adopted. Further, the Commission is not in a position to determine whether, if adopted, the proposals and matters upon which the NPRM seeks comment will require small entities to hire professionals to comply. However, consistent with our objectives to leverage and adopt existing E-Rate processes and procedures, we do not anticipate that small entities will be required to hire professionals to comply with any proposals we adopt. We expect the information we receive in comments, including, where requested, cost information, will help the Commission identify and evaluate relevant compliance matters for small entities, including compliance costs and other burdens that may result from potential changes discussed in the NPRM. E. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered 36. The RFA requires an agency to describe any significant, specifically small business, alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): “(1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities.” 5 U.S.C. § 603(c)(1) – (c)(4). 37. The NPRM considers a number of alternatives which we expect may have a beneficial impact on small entities. For example, allowing additional ramp-up time so that participants may prepare for the Pilot could benefit small entities that would need more time to implement cybersecurity measures. The funding proposals, including whether to distribute evenly over the three-year period and establishing funding caps, may impact the resources of small entities that would require flexibility to implement the Pilot program. Small entities may benefit from the NPRM’s proposal to certify they do not have the resources to implement CISA’s K-12 cybersecurity recommendations, as opposed to demonstrating that they have implemented those or similar actions. The NPRM proposes an application process that would encourage a wide variety of eligible schools and libraries to participate, including small entities. See, e.g., NPRM, at para. 33. We seek to strike a balance between requiring applicants to submit enough information that would allow us to select high-quality, cost-effective projects that would best further the goals of the Pilot program, but also minimize the administrative burdens on small entities that seek to apply and participate in the Pilot. 38. We do not expect the requirements for the proposed Pilot to have a significant economic impact on eligible K-12 schools and libraries for several reasons. We expect to leverage and adopt existing E-Rate processes and procedures and also note that schools and libraries have the choice of whether to participate in the Pilot. The Bureau will also consider whether the proposed projects will promote entrepreneurs and other small businesses in the provision and ownership of telecommunications and information services, consistent with section 257 of the Communications Act, including those that may be socially and economically disadvantaged businesses. 39. The Commission expects the information received in the comments to allow it to more fully consider ways to minimize the economic impact on small entities and explore additional alternatives to improve and simplify opportunities for small entities to participate in the Pilot. F. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules 40. None. Federal Communications Commission FCC 23-92 STATEMENT OF CHAIRWOMAN JESSICA ROSENWORCEL Re: Schools and Libraries Cybersecurity Pilot Program, WC Docket No. 23-234, Notice of Proposed Rulemaking (November 8, 2023). Connected technologies power our schools and libraries. They support education, research, and training. They assist with administration. They are essential for resource and data management. But for all the strengths of these technologies, they can also introduce new security vulnerabilities. If you need evidence, consider the cyberattacks on urban and rural school networks during the last several years. These intrusions have affected districts across the country, including in California, Iowa, New York, and Wisconsin. Schools in these states have been targeted with ransomware attacks, resulting in everything from network malfunctions to student privacy vulnerabilities to unexpected expenses to get their systems back online. The Federal Communications Commission has a role to play here. That’s because these cyberattacks can undermine the connectivity that schools and libraries count on day-in and day- out. Plus, for many of these institutions, this connectivity is delivered by E-Rate, the program that for more than a quarter of a century has supported communications for schools and libraries across the country. E-Rate also has provided limited support for basic firewall services. But the scale of recent cyberattacks on these institutions suggests that this is a problem that is too big and complex for one agency to handle alone. It requires thoughtful action and careful consideration. So in order to find the right way to tackle this problem, we are proposing to establish a pilot program to support cybersecurity services for schools and libraries. With this pilot program, we aim to better understand these issues and how the FCC can leverage its resources to help address evolving cyber threats. A central theme that we will explore is how to balance this in light of the complementary work of federal agency partners, like the Cybersecurity and Infrastructure Security Agency and the Department of Education, that have greater experience and other programs in this area. And we are proposing to establish the pilot program within the Universal Service Fund but separate from the E-Rate program. We think this is the best approach to make sure gains in enhanced cybersecurity do not come at the cost of undermining E-Rate’s success in promoting digital equity and basic connectivity. This is critical. Moreover, we have experience doing it this way because we are modeling this initiative on another FCC program from a few years ago known as the Connected Care Pilot Program. Ultimately, we want to learn from this effort, identify how to get the balance right, and provide our federal, state, and local government partners with actionable data about the most effective and coordinated way to address this growing problem. 2