The Cybersecurity Coalition recently submitted joint comments with the Information Technology Industry Council (ITI) in response to the Federal Communications Commission’s  (FCC) notice of proposed rulemaking (NPRM) for a Schools and Libraries Cybersecurity Pilot Program. The comments support the Pilot Program as protecting education and investments in school connectivity.

The proposed three-year pilot program within the Universal Service Fund (USF) would provide up to $200 million to support cybersecurity and advanced firewall services for eligible schools and libraries. The joint comments from the Coalition and ITI  emphasize that schools and libraries should have access to federal financial support in strengthening their cybersecurity practices, and that this support should be flexible and based on the entity’s risk profile. The Coalition and ITI also promoted these principles in a previous set of joint comments on the use of E-Rate program funding for advanced firewalls.

Incident reporting and information sharing as prerequisites

The Commission’s proposed rule would require schools and libraries applying for pilot grant funds to disclose details of cyber incidents and events in the previous year. The proposed rule would also require schools and libraries to join information sharing organizations as part of the pilot.

The joint comments from the FCC and ITI urged the commission against adopting these proposed requirements in the final rule. Gathering and communicating detailed cyber incident information can be arduous for entities that are already resource constrained. Additionally, while information sharing is an important activity, the grant applicants’ circumstances and resources may not warrant prioritizing sustained engagement with an information sharing organization over other security activities. The joint comments recommended the FCC convert these into voluntary items on pilot funding applications and make clear applicants may describe incidents in general terms.

Types of attacks as prerequisites

The proposed rule asked whether certain types of cyber attacks should be evaluated when selecting pilot participants. The joint comments urged the FCC to act with caution on using certain attacks or threats as a gauge for whether a school or library needs cybersecurity support. Entities that have not experienced serious cybersecurity attacks may nonetheless have poor security practices, while entities that have experienced serious cybersecurity attacks may have mature security programs. Although prior experience with security attacks is a relevant factor, the comments urge the FCC to base applicants’ eligibility on their overall risk profile.

Flexibility on eligible security measures

The joint comments urged the FCC against specifying a narrow list of security measures that are eligible for funding under the program. This was the primary concern with cybersecurity support under the E-Rate program. Instead, the joint comments argued that the FCC should enable pilot participants to avail themselves of a range of security services, depending on their risks and technology profile. This could include network, cloud, end point, and device security solutions designed to prevent, detect, and respond to external and internal threats.

An effective cybersecurity program must be tailored to the organization’s risks, which may differ depending on the organization’s digital assets and existing security protections. While the pilot program should be dedicated to security services, rather than general IT or tech modernization, the comments urged the FCC to consider designating broad categories of security services that preserve flexibility.

Updated definition of firewall

The joint comments support making advanced firewall services eligible under this pilot program. The key difference between basic and advanced firewalls is the greater breadth of security features supported by advanced firewalls, which provides greater resiliency against disruptive attacks. Accordingly, the comments suggest that the FCC adopt an updated definition of the term “firewall” for the purposes of the pilot that includes advanced or next generation features such as intrusion detection and prevention, application-level inspection, anti-malware and antivirus protection, VPN, DNS security, DDoS protections, and content filtering technologies.

Timeline and budget

The comments strongly urge the FCC to permanently establish the Schools and Libraries Cybersecurity Program upon conclusion of the pilot program. This would help to ensure that the security needs of educational services are being addressed on an ongoing basis. To facilitate this, the comments encourage the FCC to consider an accelerated evaluation period during the pilot and use the remaining time to permanently establish this fund for cybersecurity services, so that there is minimal gap between the pilot and a permanent program. Additionally, the comments suggest the FCC expresses a preference for applications that aggregate the needs of multiple schools and libraries in order to obtain the cost benefits driven by scale, allowing the program’s funding to go further.

***

Both the Cybersecurity Coalition and the Information Technology Industry Council support efforts to protect schools and libraries connectivity and underscore the importance of giving entities the flexibility to use resources based on their unique risk-profile and hope that the comments are useful to the FCC as it considered the proposed rule.

‍