47 C.F.R. § 54.2004

Current through September 30, 2024
Section 54.2004 - [Effective on an indefinitely delayed date ] Application for Pilot Program selection and reporting of information
(a)Selection window. The Wireline Competition Bureau shall announce the opening of the Pilot Participant Selection Application Window for applicants to submit a Schools and Libraries Pilot Participant Selection Application.
(b)Participant announcement. The Wireline Competition Bureau shall announce those eligible applicants who have been selected to participate in the Schools and Libraries Cybersecurity Pilot Program following the close of the Pilot Participant Selection Application Window.
(c)Filing the FCC Form 484 to be considered for selection in the Pilot Program.
(1) Schools, libraries, or consortia of eligible schools and libraries to be considered for participation in the Schools and Libraries Cybersecurity Pilot Program shall submit the first part of an FCC Form 484 to the Administrator, via a portal established by the Administrator, that contains, at a minimum, the following information:
(i) Name, entity number, FCC registration number, employer identification number, addresses, and telephone number for each school, library, and consortium member that will participate in the proposed Pilot project, including the identity of the lead site for any proposals involving a consortium.
(ii) Contact information for the individual(s) who will be responsible for the management and operation of the proposed Pilot project, including name, title or position, telephone number, mailing address, and email address.
(iii) Applicant number(s) and entity type(s), including Tribal information, if applicable, and current E-Rate participation status and discount percentage, if applicable.
(iv) A broad description of the proposed Pilot project, including a description of the applicant's goals and objectives for the proposed Pilot project, a description of how Pilot funding will be used for the proposed project, and the cybersecurity risks the proposed Pilot project will prevent or address.
(v) The cybersecurity equipment and services the applicant plans to request as part of its proposed project, the ability of the project to be self-sustaining once established, and whether the applicant has a cybersecurity officer or other senior-level staff member designated to be the cybersecurity officer for its Pilot project.
(vi) Whether the applicant has previous experience implementing cybersecurity protections or measures, how many years of prior experience the applicant has, whether the applicant has experienced a cybersecurity incident within a year of the date of its application, and information about the applicant's participation or planned participation in cybersecurity collaboration and/or information-sharing groups.
(vii) Whether the applicant has implemented, or begun implementing, any U.S. Department of Education (Education Department) or Cybersecurity and Infrastructure Security Agency (CISA) best practices recommendations, a description of any Education Department or CISA free or low-cost cybersecurity resources that an applicant currently utilizes or plans to utilize, or an explanation of what is preventing an applicant from utilizing these available resources.
(viii) An estimate of the total costs for the proposed Pilot project, information about how the applicant will cover the non-discount share of costs for the Pilot-eligible services, and information about other cybersecurity funding the applicant receives, or expects to receive, from other Federal, state, local, or Tribal programs or sources.
(ix) Whether any of the ineligible services and equipment the applicant will purchase with its own resources to support the eligible cybersecurity equipment and services it plans to purchase with Pilot funding will have any ancillary capabilities that will allow it to capture data on cybersecurity threats and attacks, any free or low-cost cybersecurity resources that the applicant will require service providers to include in their bids, and whether the applicant will require its selected service provider(s) to capture and measure cost-effectiveness and cyber awareness/readiness data.
(x) A description of the applicant's proposed metrics for the Pilot project, how they align with the applicant's cybersecurity goals, how those metrics will be collected, and whether the applicant is prepared to share and report its cybersecurity metrics as part of the Pilot Program.
(2) The first part of the FCC Form 484 shall be signed by a person authorized to submit the application to participate in the Schools and Libraries Cybersecurity Pilot Program on behalf of the eligible school, library, or consortium including such entities. The person authorized to submit the first part of the FCC Form 484 application on behalf of the entities listed on an FCC Form 484 shall also certify under oath that:
(i) "I am authorized to submit this application on behalf of the above-named applicant and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this form has been examined and is true, accurate, and complete. I acknowledge that any false statement on this application or on any other documents submitted by this applicant can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502 , 503(b) ), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001 ), or can lead to liability under the False Claims Act (31 U.S.C. 3729 - 3733 )."
(ii) "In addition to the foregoing, this applicant is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities."
(iii) "By signing this application, I certify that the information contained in this form is true, complete, and accurate, and the projected expenditures, disbursements, and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil, or administrative penalties for fraud, false statements, false claims, or otherwise. (U.S. Code Title 18, §§ 1001, 286-287, and 1341, and Title 31, §§ 3729-3730 and 3801-3812)."
(iv) The applicant recognizes that it may be audited pursuant to its application, that it will retain for ten years any and all records related to its application, and that, if audited, it shall produce such records at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector General, or any local, state, or Federal agency with jurisdiction over the entity.
(v) "I certify and acknowledge, under penalty of perjury, that if selected, the schools, libraries, and consortia in the application will comply with all applicable Schools and Libraries Cybersecurity Pilot Program rules, requirements, and procedures, including the competitive bidding rules and the requirement to pay the required share of the costs for the supported items from eligible sources."
(vi) "I certify under penalty of perjury, to the best of my knowledge, that the schools, libraries, and consortia listed in the application are not already receiving or expecting to receive other funding (from any source, federal, state, Tribal, local, private, or other) that will pay for the same equipment and/or services, or the same portion of the equipment and/or services, for which I am seeking funding under the Schools and Libraries Cybersecurity Pilot Program."
(vii) "I certify under penalty of perjury, to the best of my knowledge, that all requested equipment and services funded by the Schools and Libraries Cybersecurity Pilot Program will be used for their intended purposes."
(d)Filing the FCC Form 484 once selected to be in the Pilot Program.
(1) Schools, libraries, or consortia of eligible schools and libraries selected for participation in the Schools and Libraries Cybersecurity Pilot Program shall submit to the Administrator, via a portal established by the Administrator, a second part to the FCC Form 484 that contains, at a minimum, the following information, as applicable:
(i) Information about correcting known security flaws and conducting routine backups, developing and exercising a cyber incident response plan, and any cybersecurity changes or advancements the participant plans to make outside of the Pilot-funded services and equipment.
(ii) A description of the participant's current cybersecurity posture, including how the school or library is currently managing and addressing its current cybersecurity risks through prevention and mitigation tactics.
(iii) Information about a participant's planned use(s) for other Federal, state, or local cybersecurity funding (i.e., funding obtained outside of the Pilot).
(iv) Information about a participant's history of cybersecurity threats and attacks within a year of the date of its application; the date range of the incident, a description of the unauthorized access; a description of the impact to the school or library, a description of the vulnerabilities exploited and the techniques used to access the system, and identifying information for each actor responsible for the incident, if known.
(v) A description of the specific U.S. Department of Education or Cybersecurity and Infrastructure Security Agency best practices recommendations that the participant has implemented or begun to implement.
(vi) Information about a participant's current cybersecurity training policies and procedures, such as the frequency with which a participant trains its school and library staff and, separately, information about student cyber training sessions, and participation rates.
(vii) Information about any non-monetary or other challenges a participant may be facing in developing a more robust cybersecurity posture.
(2) The second part of the FCC Form 484 shall be signed by a person authorized to submit the second part as a participant in the Schools and Libraries Cybersecurity Pilot Program on behalf of the eligible school, library, or consortium including such entities. The person authorized to submit the second part of the FCC Form 484 application on behalf of the Pilot participants listed on an FCC Form 484 shall also certify under oath that:
(i) "I am authorized to submit this application on behalf of the above-named participant and that based on information known to me or provided to me by employees responsible for the data being submitted, I hereby certify that the data set forth in this form has been examined and is true, accurate, and complete. I acknowledge that any false statement on this application or on other documents submitted by this participant can be punished by fine or forfeiture under the Communications Act (47 U.S.C. 502 , 503(b) ), or fine or imprisonment under Title 18 of the United States Code (18 U.S.C. 1001 ), or can lead to liability under the False Claims Act (31 U.S.C. 3729 - 3733 )."
(ii) "In addition to the foregoing, this participant is in compliance with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program, and I acknowledge that failure to be in compliance and remain in compliance with those rules and orders may result in the denial of funding, cancellation of funding commitments, and/or recoupment of past disbursements. I acknowledge that failure to comply with the rules and orders governing the Schools and Libraries Cybersecurity Pilot Program could result in civil or criminal prosecution by law enforcement authorities."
(iii) "By signing this application, I certify that the information contained in this form is true, complete, and accurate, and the projected expenditures, disbursements, and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil, or administrative penalties for fraud, false statements, false claims, or otherwise. (U.S. Code Title 18, §§ 1001, 286-287, and 1341, and Title 31, §§ 3729-3730 and 3801-3812)."
(iv) The participant recognizes that it may be audited pursuant to its application, that it will retain for ten years any and all records related to its application, and that, if audited, it shall produce such records at the request of any representative (including any auditor) appointed by a state education department, the Administrator, the Commission and its Office of Inspector General, or any local, state, or Federal agency with jurisdiction over the entity.
(v) "I certify and acknowledge, under penalty of perjury, that if selected, the schools, libraries, and consortia in the application will comply with all applicable Schools and Libraries Cybersecurity Pilot Program rules, requirements, and procedures, including the competitive bidding rules and the requirement to pay the required share of the costs for the supported items from eligible sources."
(vi) "I certify under penalty of perjury, to the best of my knowledge, that the schools, libraries, and consortia listed in the application are not already receiving or expecting to receive other funding (from any source, federal, state, Tribal, local, private, or other) that will pay for the same equipment and/or services, or the same portion of the equipment and/or services, for which I am seeking funding under the Schools and Libraries Cybersecurity Pilot Program."
(vii) "I certify under penalty of perjury, to the best of my knowledge, that all requested equipment and services funded by the Schools and Libraries Cybersecurity Pilot Program will be used for their intended purposes."
(3) In order for a school, library, or consortia of eligible schools and libraries selected for participation in the Schools and Libraries Cybersecurity Pilot Program to retain its status as a Pilot participant and receive Pilot Program support, it will be required to submit the information required by the second part of the FCC Form 484 in the form specified by the Wireline Competition Bureau.
(4) The Wireline Competition Bureau may waive, reduce, modify, or eliminate from the second part of the FCC Form 484, information requirements that prove unnecessary for the sound and efficient administration of the Pilot.
(5) Failure to submit the information required by the second part of the FCC Form 484 may result in removal as a participant in the Pilot Program and/or a referral to the Enforcement Bureau.
(e)Data reporting requirements for participants.
(1) In order for a Pilot participant to receive and continue receiving Pilot Program support and retain its status as a Pilot participant, it will be required to submit initial and annual reports, followed by a final report at the completion of the program with the information and in the form specified by the Wireline Competition Bureau.
(2) Prior to the start of the Pilot Program, the Wireline Competition Bureau shall announce the timing and form of the initial, annual, and final reports that Pilot participants must submit.
(3) The Wireline Competition Bureau may waive, reduce, modify, or eliminate Pilot participant reporting requirements that prove unnecessary and require additional reporting requirements that the Bureau deems necessary to the sound and efficient administration of the Pilot.
(4) Failure to submit initial, annual, and final reports may result in a referral to the Enforcement Bureau, a hold on future disbursements, recission of committed funds, and/or recovery of disbursed funds.

47 C.F.R. §54.2004

89 FR 61310, 8/29/2024; 89 FR 61315, effective date to be determined