As states draft their initial proposals for the Broadband Equity, Access and Deployment (BEAD) program, the Telecommunications Industry Association (TIA) is striving to help broadband offices tackle the cybersecurity aspect of the BEAD guidelines.
Essentially, states must verify the vendors and suppliers to whom they award contracts must have “adequate” cybersecurity and supply chain risk management (C/SCRM) plans. As for what exactly those requirements are, TIA CEO Dave Stehlin said it’s a “very long” and complicated answer.
“We’re very active in cyber and supply chain security. We got super interested in helping the states manage the requirements that are in this multi-hundred-page Notice of Funding Opportunity,” he told Fierce.
“Because it’s overwhelming to most of them, frankly, and for the very first time ever [the government] has included requirements for cyber and supply chain security.”
Stehlin explained the BEAD NOFO refers to four federal government documents on the subject of C/SCRM, including the NIST Cybersecurity Framework and Biden’s executive order from September 2022 on enhancing the supply chain. Each document is referred to “as being baseline requirements in BEAD.”
For example, the NIST framework consists of 23 different categories for 108 specific requirements, “everything from identifying problems to protecting networks, to detecting issues, to responding, to recovering from a problem.”
TIA created a checklist state broadband offices can use to “operationalize these guidelines – something that you can touch and feel and measure.” States can then map those requirements to TIA’s Supply Chain Security Standard (or SCS 9001).
Some of the questions on the checklist include:
· Does the organization identify cybersecurity roles and responsibilities of its workforce, including third party partners like suppliers and consultants?
· Does the organization have a Business Continuity Plan that enables the rapid recovery of normal business operations after a cyberattack or other disaster?
· Does the organization understand all legal and regulatory requirements under which it is expected to operate?
TIA made the checklist available to the state offices for free. States can either work with TIA directly or have their ISPs or vendors go through the process of meeting SCS 9001 requirements.
“The states are already overwhelmed with the tidal wave of requirements of BEAD,” said Stehlin. “A lot of them have either put off or not really even looked at the cyber and supply chain security requirements yet.”
“So we help them organize that so that they can better tell their prospective grantees what’s required and better analyze and evaluate the requirements that have come in from [the grantees] as they’re doing their work,” he added.
While Stehlin couldn’t say how many states have adopted the checklist, he noted TIA is dealing with “probably half of the states or more right now, at different speeds and different levels.”
Louisiana, for instance, is considered “very far along” and it was also the first state to publicly release its initial BEAD proposal and digital equity plan.
Cybersecurity and Buy America
Stehlin noted the Infrastructure Investment and Job Act’s (IIJA) Buy America requirement, which would force federal grant recipients to use products and materials that contain at least 55% domestic content, won’t affect the BEAD program’s requirements.
Earlier this year, the NTIA proposed a Buy American waiver for its $1 billion Middle Mile grant program. But it hasn’t announced any waivers thus far for BEAD.
“We expect that within the next month NTIA will be announcing any type of waiver that might come out for BEAD,” said Stehlin. “That waiver though does not have any impact on this cyber and supply chain security requirement. They’re independent.”
However, NTIA may decide to modify the Buy America requirements to accommodate the cybersecurity and supply chain guidelines outlined in BEAD.
“I would expect we’ll have answers within a month and they’ll probably be sending it out for public comment first,” he concluded.