13 Facts About the FCC’s New Cybersecurity Pilot Program | ActZero

On June 6, 2024, the Federal Communications Commission (FCC) announced the Schools and Libraries Cybersecurity Pilot Program, a three-year, $200 million initiative to help the FCC assess the best ways to fund and protect educational institutions from cyber attacks. ActZero applauds the Commission for recognizing the importance of cybersecurity and supports the Commission’s intent to establish this program. While the application date hasn’t been announced yet, the expectation is that the application process will begin in the next month or two. 

Here’s what school tech directors need to know to take advantage of this funding opportunity.

1. The Cybersecurity Pilot Program will run similarly but is separate from E-rate, with the $200 million to be used exclusively for eligible cybersecurity equipment and services. 

2. Participants will be selected on the strength of their proposed projects.

3. Schools and districts can receive annually up to $13.60 per student, with a $15,000 floor and a $1.5 million ceiling.  Grants may become available as early as this summer or fall.  

4. Eligible schools and libraries that apply as a consortium can participate in the Pilot (consistent with E-rate rules).

5. You can apply for funds to secure your networks in four categories:

• Advanced or next-generation firewalls: equipment, services, or a combination of equipment and services that limits access between networks, excluding basic firewall services and components currently funded through E-rate.
• Endpoint protection (EDR): services and equipment such as anti-virus, anti-malware, and anti ransomware that protect networks from potential vulnerabilities introduced by desktops, laptops, mobile devices, and other end-user devices connected to networks.
• Identity protection and authentication: equipment, services, or a combination that implements safeguards to protect a user’s network identity from theft or misuse and/or provide assurance about the network identity of an entity interacting with a system. These tools can include DNS/DNS-layer security, content blocking and filtering/URL filtering, multi-factor authentication (MFA)/phishing-resistant MFA, single sign-on (SSO), and event logging.  
• Monitoring, detection and response (MDR): equipment, services, or a combination that monitors and/or detects threats to a network and takes responsive action to remediate or address those threats.

6. Participating schools will receive funding to prioritize implementation of solutions within one major technological category.  

7. Discounts will be based on E-rate Category 1 discount formulas. Priority is based on need, so the FCC will start with applicants at the 90-percent level and only move on if funds are not exhausted.

8. The application process is two-phase: phase one will determine the pilot participants who will move on to phase two. Competitive bidding will follow the application process, using the 470/471 filing method.

9. Here’s what you will need to apply when the application is available. So start gathering these items now:

• Project description—Goals and objectives, the cybersecurity risks you’ll address, and how you’ll use the funding.
• Equipment and services—A detailed list of products and services, how the project will sustain itself after initial funding, and a list of designated staff.
• Applicant’s experience—Number of years of experience with cybersecurity measures, if you’ve had  a cybersecurity incident within the last year, and participation in cybersecurity information groups.
• Compliance and resource usage—Education Department or CISA recommendations you’ve implemented, free or low-cost cybersecurity resources in place, and any obstacles preventing the use of available resources.
• Financial details—An estimate of the total costs for the project, how you’ll cover the non-discount share of costs, and a list of any other cybersecurity funding anticipated or received.
• Service provider requirements—Any ineligible services and equipment you’ve purchased that will support the eligible cybersecurity equipment and services.
• Metrics and reporting—How you’ll collect them and how they align with cybersecurity goals.

10. Participating schools will be required to contribute a portion of the costs of the cybersecurity services and equipment they seek to purchase with pilot program support.  

11. Pilot participants will request reimbursement as expenses are incurred.

12. Applicants must submit their FCC Form 484 applications via an online platform. The application consists of two parts, with the first part being a general level of cybersecurity information and the second part, for selected pilot participants, including more detailed cybersecurity information. This process will reduce the initial application burden and limit the amount of sensitive cybersecurity information being provided in the application stage.

13. As with the E-rate program, pilot participants must file a Pilot FCC Form 471 to request discounts on eligible services and equipment. Form 471 will include information on the recipients of services and equipment,  detailed descriptions of the services and equipment requested (e.g., costs and service dates), and certifications regarding compliance with pilot rules.