Securing funding from the four major broadband funding programs can provide significant resources to broadband service providers. These programs include complex requirements that providers must follow to access funds, particularly in relation to cybersecurity and supply chain risk management.

Below is a roadmap to help develop and maintain a functioning cybersecurity program for your organization, including steps that could help streamline the process by gathering data, devising policies and plans, and continuing remediation.

Management Requirements in Funding Programs

Several federal broadband and other funding programs contain cybersecurity and supply chain risk (SCRM) management requirements, including:

• Broadband Equity Access and Deployment Program (BEAD)
• Enhanced Alternative Connect America Cost Model (E-ACAM)
• Tribal Broadband Connectivity Program
• ReConnect Program Round Five

In general, these requirements relate to acknowledging cybersecurity and supply chain risk management standards, adopting plans within certain time frames, and updating those plans as necessary.

The Federal Communications Commission (FCC) has acknowledged the importance of cybersecurity and recognized the authority to address these issues by reclassifying broadband internet access service (BIAS) as a Title II service.

Federal broadband funding programs administered by the National Telecommunications and Information Administration (NTIA) and the Rural Utilities Service (RUS) also require prospective awardees to address certain cybersecurity and SCRM requirements. Within each of these requirements, there are themes that stand out and consistent across each of the rule sets.

Cybersecurity and Supply Chain Risk Management

Carriers need to have cybersecurity and supply chain risk management plans in place, and they need to be operational or able to be operational when service is provided.

Framework and Goals

Each of the rules point to the NIST Cybersecurity Framework (CSF), and in most cases the Cybersecurity and Infrastructure Security Agency (CISA) cross-sector cybersecurity performance goals (CPGs). The CPGs were specifically developed as a subset of cybersecurity practices for small- and medium-sized organizations.

The CPGs are being updated to reflect the latest version of the CSF and both cybersecurity and supply chain risk requirements are included.

Steps to Comply with Broadband Funding Program Requirements

So, where should carriers start? A few simple steps are noted below.

Gather Data

The first step in any project is data gathering—understanding where you are relative to where you need to get.

A gap assessment will provide this data, and highlight areas of compliance, noncompliance, and provide recommendations to remediate any areas that are weak.

Devise Policies and Plans

Once the gaps are known and understood, policies and plans should be developed. A cybersecurity plan is more than just aspirations and forward-looking ideas. It’s more akin to a policy that asks what you’re going to do as part of cybersecurity and supply chain risk management.

The plan should include both things that are already in place and things you plan to put in place in the future. Any items in these documents that are still in the works should then be captured in a corrective action plan (CAP).

The CAP should identify:

• Aspects of the plan that you aren’t already doing
• What plans you have in place to remediate those items
• Who’s responsible
• Timeline to get them done

The CAP is a living document. Update it on a regular basis so at any given point in time it’s an accurate reflection of your corrective actions.

Once you’ve checked something off the list, add it to a separate portion of the document to memorialize completed corrective actions. This way, any future outside parties, such as assessors or regulators, will know that you’ve followed through on resolving issues.

Continuing Remediation

Once plans are documented, and corrective action plans are in place, cybersecurity programs have two parallel paths. Items in the CAP must be remediated over time, but there are also items that must be continuously executed to ensure the plans stay operational. Regular vulnerability scanning, annual penetration tests, and an annual third-party control assessment are required.

In the end, you have a functioning cybersecurity program, with built-in feedback loops and processes to continuously correct and improve the program.

Cybersecurity and Supply Chain Risk Management Plan Requirements

Following are summaries of the cybersecurity and supply chain risk management plan requirements for federal broadband funding and universal service support programs.

NTIA: Tribal Broadband Connectivity Program (TBCP) Round 2

Applicants were required to include a certification regarding compliance with cybersecurity and supply chain management requirements with the other application materials. Then, awardees (including prospective subgrantees) are required to complete certain actions within 12 months of accepting the funding award.

Steps to be taken include:

• Review the CISA cross-sector cybersecurity performance goals (CPG)
• Perform an initial assessment of cybersecurity practices using the CPG checklist
• Develop and submit a Cybersecurity Risk Management Plan
• Have a SCRM plan in place

NTIA: Broadband Equity, Access, and Deployment (BEAD) Program

The BEAD program allocates funding to eligible entities, which are then responsible for awarding funds to subgrantees and ensuring all requirements are met. BEAD subgrantees are required to meet certain cybersecurity and SCRM requirements, the baseline for which is contained in the BEAD notice of funding opportunity (NOFO).

States can propose additional measures on subgrantees, and therefore the final requirements will be contained in each eligible entity’s BEAD program rules, typically in the Initial Proposal Volume II.

The baseline requirements adopted by NTIA in the NOFO include:

• Prospective subgrantee has a cybersecurity risk management plan in place that is either operational or ready to be operational upon providing service
• Plan reflects the latest version of the NIST framework for Improving Critical Infrastructure Cybersecurity
• Prospective subgrantee has a SCRM plan in place that is either operational or ready to be operational upon providing service

RUS: ReConnect Program Fiscal Year (FY) 2024 (Round 5)

For the latest round of ReConnect broadband grant and loan funding, rural utilities service (RUS) requires that applicants:

 “Demonstrate, prior to the signing of the award agreement, a concerted effort to consider and address cybersecurity risks consistent with the cybersecurity performance goals for critical infrastructure and control systems directed by the National Security Presidential Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, or the current draft of these goals.”

FCC: Enhanced Alternative Connect America Model (Enhanced A-CAM) Support program

The FCC adopted the E-ACAM program under its overall federal universal service fund (USF) rules to provide for additional support for broadband deployment and service sustainability.

As part of this program, electing providers were required to implement operational cybersecurity and SCRM plans by January 1, 2024, and consistent with the BEAD program, the plans are to reflect the latest version of the NIST Framework for Improving Critical Infrastructure Cybersecurity, and SCRM plans must incorporate key practices in NIST Report 8276. Any updates must be filed with USAC within 30 days.

We’re Here to Help

To develop strategies to maintain compliance with cybersecurity and supply chain risk management requirements for federal broadband funding programs, please contact your Moss Adams professional.

Additional Resources

• Broadband & ISP
• Telecommunications Consulting Services