In the run up next week to Independence Day, the most red-blooded of American holidays, we shine our legal torch on a key aspect of the BEAD program that has to date received relatively limited coverage: An oft-overlooked but yet highly important provision in the BEAD program– the cybersecurity risk management plan – which was not eliminated nor diluted by NTIA’s recently released BEAD Policy Notice (“Notice”). Connecting below the relevant dots consisting of a BEAD cybersecurity policy, we recall the immortal words of Stephen Colbert: “It’s Fourth of July weekend, or, as I call it, Exploding Christmas.”
At its most basic level, BEAD applicants must certify to and comply with the cybersecurity and supply chain risk management practices provided for in the Infrastructure Investment and Jobs Act (“IIJA”), the organic legislation for BEAD. Many states and U.S. territories, in turn, incorporated in their policies this cybersecurity requirement, taking the form of an attestation, and Pledge of Allegiance into their pre-qualification process.
To prevent a last minute revolution, prospective BEAD grant applicants should promptly take steps and fire up the grill now to ensure that they are well-positioned to successfully check the box on this threshold cybersecurity requirement, given that states will now be required under the new NTIA guidance to hold another subgrantee application round, which may likely incorporate these pre-qualification requirements, but states may also have a standalone additional prequalification round.
To ring in the Liberty Bell, in this week’s broadband update, we synthesize below the specific factors that BEAD applicants must address in their cybersecurity risk management plans as they either create one from scratch or amend existing cybersecurity plans to comply with BEAD’s requirements. In this new Administration under Uncle Sam Trump, cyber security concerns have taken on increased importance and urgency. And, like next week’s 4th of July parades, the list of cybersecurity issues is louder and longer than you’d think and often requires a lawyer or two with a shovel and wheelbarrow at the end of the parade to scoop up the mess leftover.
We do note that with an impending September 4 revised plan deadline, that some states, such as Texas, have already requested additional time from NTIA given the programmatic changes. While the Notice mandated all states to submit Final Proposals within 90 days of the Notice’s issuance, Texas has asked for an additional 78 days to submit their proposal for, by far, the largest state BEAD grant of $3.3 billion.
Texas broadband director Greg Conte, at this week’s Broadband Communities Summit in Houston, said that this extension would “recapture the 78 days that were taken away from” the state when NTIA was undertaking its review of the program. Other states, such as Vermont, as to timing, are looking to take a different approach. Executive Director of the Vermont Community Broadband Board, Christine Hallquist, recently indicated that Vermont would build upon the work already done and the 90 day deadline is “forcing [Vermont] to make decisions faster.” She indicated the Green Mountain State wants “to be in construction next year” because of the shorter construction season due to winter weather.
Ever since our fore-bearers squabbled over throwing perfectly good tea into some harbor, many of us have long associated Independence Day with parades, firework displays, barbecues, and other festivities. That’s precisely what John Adams anticipated when he wrote to his wife Abigail, after signing the Declaration of Independence in 1776: “It ought to be solemnized with pomp and parade, with shows, games, sports, bells, bonfires and illuminations, from one end of this continent to the other.”
The Fourth of July, a spectacular annual celebration of America’s independence from the then yoke of Great Britain’s tyranny, would have otherwise been just another day on the calendar without the actions of the original Thirteen Colonies at the Second Continental Congress. Of those Thirteen Colonies, Massachusetts arguably hosted some of the most iconic events paving the way to American independence, with the Boston Tea Party, Bunker Hill and the Battles of Concord and Lexington setting off a chain of events that escalated into the American Revolution. To quote from the iconic musical Hamilton: “I’m just like my country, I’m young, scrappy and hungry.”
And, just too cool for British rule. Lesser known is the two Carolinas’ place in American independence history. Yes, North and South Carolina are where British general Charles Cornwallis spectacularly surprised and captured American troops in Charleston in 1780, but who then crucially overestimated Loyalist support for the UK Crown, spelling the beginning of the end for King George III’s hold over the colonial jewel that would become the United States. Cornwallis would have been wise to take into account the Bruce Springsteen lyrics: “Born in the USA. I’m a cool rocking daddy in the USA.”
In honor of these original founding states of America, we unfurl our pen and sign our John Hancock below as to those Yankee Doodle loving states of Massachusetts, North Carolina, and South Carolina’s efforts to provide universal broadband access to their residents. We debated long and hard, but decided not to include an update of Texas this week, since at the time of the Revolution, it was still part of Mexico. However, as the old Texas saying goes: “Fourth of July celebrations are really just what people in Texas do every day: eat barbecue, drink beer and light stuff on fire.”
In the truly pyrotechnic IIJA, Congress directed that NTIA specify cybersecurity risk management practices for broadband providers that will use BEAD funds to deploy or upgrade broadband networks. Pursuant to that Congressional Declaration, NTIA adopted several baseline cyber requirements in the BEAD NOFO that sub-grant applicants must satisfy. It’s clear messaging to foreign bad actors: Don’t Tread on Me.
These cyber requirements must be carefully combined and handled delicately to create a more perfect Union. Or, as they say, E Pluribus Unum. And while the recent Notice notably removed among other provisions, the “Climate Resilience” section from the NOFO, the cybersecurity requirements, as well as the statutory requirement to incorporate “best practices” to ensure network protection, reliability and resilience, are still fighting on even after the new NTIA guidelines.
As provided in the BEAD NOFO, at a minimum, prospective BEAD applicants must conspicuously fly their own cybersecurity flag and attest to the following that:
The NIST Framework offers a helpful jumping off board for broadband providers that may not already have a cybersecurity risk management plan in place. If, in fact, you started developing such a plan when the BEAD NOFO was initially issued, it would by now be knee high by the Fourth of July this year.
In acknowledging that preparation of the cybersecurity plans from scratch won’t be easy, we herein provide a high-level overview of the basic elements of that all-important cyber Framework. Admittedly, it’s not easy work. To quote Thomas Paine, “Those who expect to reap the blessings of freedom, must, like men, undergo the fatigue of supporting it.”
In one additional verse than that found in the Star-Spangled Banner itself, the NIST Cybersecurity Framework demonstrates its own unique Independence and is divided into six “Core Functions” – (1) Governance (2) Identify; (3) Protect; (4) Detect; (5) Respond; and (6) Recover. Each of these elements is intended to be performed concurrently and continuously so that broadband providers are always ready to address dynamic cybersecurity risks. To some extent, it’s trying to turn a Hot Dog into a seven course meal. These are difficult tasks that require patience and close attention.
NIST CSF 2.0 recognizes that everything starts with leadership. And requires that Telecom C-Suite members direct and ensure the implementation of a Risk Management framework that direct Cybersecurity and Supply Chain Risk policies1.
The multiple Cyber activities under the “Identify” function are meant to foster a foundational organizational understanding and culture of managing cybersecurity risks, which these days is becoming as American as cherry pie. These activities include asset management, such as inventorying hardware and software, mapping organizational communication and data flows, cataloging external information systems, and classification and prioritization of resources based on their criticality and business value in and among those assets.
Further, BEAD and other broadband cybersecurity plans should display in sparkling detail that the applicant has conducted a risk assessment of all relevant vulnerabilities and risks, and how they could impact the businesses. BEAD applicants should also clearly establish cybersecurity-related roles and responsibilities for the entire workforce, including the alignment of internal and external roles, and memorialize those on paper, like our Founding Fathers did our inalienable Constitutional rights.
This is no time to flag when it comes to cybersecurity. Keep adding to and embellishing that cyber plan. A comprehensive understanding of the business environment is also encouraged by the NIST Framework, and Cyber Plans should carefully describe the company’s role in the supply chain and critical infrastructure. In addition, Cybersecurity Plans should establish, almost as it’s a corporate Anthem, the company’s priorities among its organizational mission, objectives, and activities, as well as the company’s dependencies and critical functions and its resilience requirements. Risk management processes should also be included in this Plan, including a clearly outlined organizational risk tolerance.
To quote Revolutionary War General Nathaniel Greene: “We aren’t done yet.” Under the cyber “Protect” function, BEAD and other broadband providers should further develop and implement the appropriate safeguards to ensure a delivery of critical services and preemptively mitigate the impact of a potential cybersecurity event, hopefully showing that the probability of such event occurring is as likely as a Cold Day in July.
One of the core measures that should be implemented (and documented in the BEAD Cybersecurity Plan) is employee identity and access control management, such that broadband company employees are issued credentials, that are continuously audited and managed, and access (physical and remote) is protected with appropriate safeguards commensurate to the associated cybersecurity risk identified in the activities independently undertaken under the cyber “Identify” function.
Employee awareness and training are another sub-category under the “Protect” function that companies can include in their BEAD cybersecurity Plan, so that all personnel and partners are provided with the appropriate cybersecurity education and training to perform their cybersecurity-related duties and responsibilities. A fundamental component of this aspect of the Plan is data and information protection, so that data “at rest” and “in transit” are all adequately protected and formally managed. This section also includes data retention and destruction policies.
We will continue exploring and discussing the various components of a compliant Cybersecurity Plan in our future broadband updates, but briefly, Cybersecurity Plans will also need to reflect the "Governance," “Detect,” “Respond,” and “Recover” elements of the NIST Framework.
The “Detect” function involves activities and measures to identify the occurrence of cybersecurity events, which enables companies to timely discover such events and respond as quickly as Paul Revere. And, as the title suggests, the “Respond” function includes activities that are triggered to respond promptly to a detected cybersecurity incident.
Last but not least, the cybersecurity “Recover” function involves resilience measures that restore capabilities or services that were impaired due to a cybersecurity incident so that normal operations can resume in a timely manner. And once you complete all this, let the fireworks commence and then go out and party like a Patriot. Or at least like Revolutionary patriot and brewer Sam Adams would have done so.
As a final note on BEAD cybersecurity compliance, remember that the foregoing requirements are the baseline minimum threshold that states and U.S. territories must meet, and relatively cybersecurity-sensitive states may impose even more stringent criteria in the broadband programs that will distribute BEAD funding.
Among the states and U.S. territories to date that have received their full Initial Proposal approvals from the NTIA, we have not yet seen additional state-specific cybersecurity components, and we hope that this trend continues. But, it would be a miracle if no state seeks to do so. And as literary giant Thomas Wolfe famously wrote, “America is the only place where miracles not only happen, but where they happen all the time.”
We focus this week on the broadband programs in the original colonies of Massachusetts, North Carolina, and South Carolina to determine how prepared these historical states are to receive and implement their allocations of the BEAD program’s $42.45 billion. Once these funds are received, like Madonna, we expect that these states will be Just Living the American Dream. To quote an old saying from the now most definitely politically incorrect 1950’s television show Little Rascals: “All this money makes me melt like a Popsicle on the 4th of July.”
All three former British colonies are all awaiting their BEAD allocation with the enthusiasm of a starving contestant at the July 4 Nathan’s Coney Island Hot Dog Contest. Once they have received these NTIA broadband funds, these jurisdictions will subsequently be responsible for disbursing funds to sub-awardees that will construct and operate the broadband networks, very likely using the same subgrant mechanism that these states already have in place. Why reinvent Betsy Ross’ flag? To quote Winston Churchill, “Americans will always do the right thing, but only after they have tried everything else.”
Massachusetts: In our previous updates covering the Old Bay State, we had expressed our reservations that any of the Commonwealth’s existing broadband grant mechanisms was ready to receive and administer the CPF or BEAD program funds. And it seems our intuition was right, because the state has decided to set up a brand-new program for the CPF award that was announced in October 2022.
The U.S. Treasury awarded Massachusetts $145 million – approximately 83% of its CPF allocation – to be used for the Broadband Infrastructure Gap Networks Grant Program, a competitive grant program designed to address gaps in broadband infrastructure where reliable service is unavailable.
Even though the U.S. Treasury’s announcement was released almost three years ago, the Bay State program didn’t announce awards until July 2024, with the first-round totaling around $45 million. Despite the slower rollout, Massachusetts Broadband Institute (“MBI”), the state’s broadband authority, has some experience with broadband grant programs – MBI administers a last mile grant program, known as the Flexible Grant Program, though the program has sat idle for several years (the last application window opened in 2017).
MBI is also knee-deep in BEAD activity, having launched its first subgrantee selection phase back in January. The office however has indicated it expects to open the required new NTIA mandates Benefit of the Bargain grant round in early July with the goal of submitting the state’s Final Proposal by September 4.
North Carolina: The Tar Heel state was one of the few jurisdictions nationwide to dedicate a significant portion of its share of funds from the U.S. Treasury Department’s SLFRF to broadband infrastructure, spearheaded by the North Carolina Department of Information Technology (“NCDIT”). Specifically, in 2021, the state legislature allocated $940 million in ARPA funding to deploy last-mile broadband infrastructure to serve areas that remained unserved and underserved in North Carolina through (1) the Growing Rural Economies with Access to Technology (“GREAT”) Program, (2) the Completing Access to Broadband (“CAB”) Program, (3) the Stop Gap Program, and (4) the Pole Replacement Program.
Given the volume of funding across multiple disbursement vehicles, it is no wonder North Carolina used a portion of its $5 million in BEAD planning funds to increase capacity for these existing programs run by the NCDIT Broadband Infrastructure Office. The GREAT Program is a competitive grant program that provides funding to private sector broadband providers to deploy last-mile broadband to unserved communities located in the most rural and remote areas of the state. The GREAT Program closed its last application window in May 2022 for the 2022-2023 funding round, which round disbursed $348 million of the $350 million of ARPA funds, which likely includes the $177.7 million in CPF funding approved by Treasury in December 2022. Those broadband recipients were as happy as if they were Yankee Doodles born on the 4th of July.
The CAB Program is a new broadband funding program primarily designed for individual counties to partner with NCDIT to fund deployment projects in unserved areas, although unsuccessful GREAT projects may be considered for funding under the CAB program. The state allocated $400 million of the ARPA funds for this CAB Program. For these 2 grant programs, the NCDIT maintains mapping tools to assist prospective applicants in identifying possible project areas and for other project planning purposes.
As a complementary initiative to these deployment programs, the Pole Replacement Program is a special $100 million fund that will reimburse broadband providers for eligible pole replacement costs in connection with qualified projects and is currently accepting applications on a rolling basis, until funding runs out. And lastly, the Stop Gap Program is meant to act as a fund of last resort, where grants will be provided to providers, local governments and entities to install broadband infrastructure to households that remain unserved or underserved even following the GREAT Grant and CAB Grant programs.
With all of these broadband grant programs to administer, it is no wonder NCDIT was somewhat lagging behind the rest of the country in terms of the BEAD program. However, with all the new NTIA changes to BEAD recently, the state is primed to fight back, launching its final prequalification window on June 20, which will run to July 7.
South Carolina: In contrast to its former colonial neighbors to the north, the Palmetto State does not have a menu of broadband grant programs to choose from. Instead, the state’s Office of Regulatory Staff (“ORS”), which will also administer the BEAD state grant program, has set up separate programs for each pool of money. And, broadband applicants are lining up to dive in.
Besides the BEAD program, presently the only other active grant program is the ARPA SLFRF 3.0 program, which will award approximately $214 million to broadband deployment proposals. The ORS will prioritize: (1) unserved areas with no current ISP; (2) Difficult Development Areas, as identified by HUD; and (3) census blocks that have a high concentration of unserved public K-12 student households as documented by the South Carolina Department of Education. ARPA SLFRF 3.0 closed its application window in late March 2024 and awards are expected to be announced within the next month.
Perhaps because of its relative lack of active broadband programs to administer, South Carolina’s broadband authority has been fairly prompt in its BEAD program process – the state closed its challenge window in May 2024 and received approval of its final determinations later that summer. However, we have not yet received word from the Broadband Office of when it intends to carry out its new NTIA mandates Benefit of the Bargain Round.
As always, we continue to monitor and analyze the Trump administration’s efforts with regards to these BEAD and broadband grant issues and would be happy to discuss them with you or answer your questions.
In honor of the upcoming Independence Day weekend, we plan to go forth (so to speak) and celebrate (that is relaxing on our hammock) and thus will be taking next week off from writing our weekly broadband report. We will resume publishing the following week.
In the meantime, we plan to thoroughly enjoy the holiday weekend and eat and drink in tribute to our forefathers. What specifically will we do? Like many of you, we like our beer cold, our coffee black and our tea in the Boston Harbor.
Andy and Case
Andrew D. Lipman
Morgan, Lewis & Bockius LLP
andrew.lipman@morganlewis.com
1 Governance statement added by BorderHawk, LLC.