3060-1323 Cybersecurity Pilot Supporting Statement_June 2025

3060-1323 Cybersecurity Pilot Supporting Statement_June 2025.docx

Schools and Libraries Cybersecurity Pilot Program

OMB: 3060-1323

Document [docx]
Download: docx | pdf

Information Collection 3060-1323

Schools and Libraries Cybersecurity Pilot Program June 2025


This submission is being made pursuant to 44 U.S.C. § 3507 of the Paperwork Reduction Act of 1995 (PRA) to obtain Office of Management and Budget (OMB) approval to revise the existing collection, OMB Control Number 3060-1323, for the Schools and Libraries Cybersecurity Pilot Program (Cybersecurity Pilot Program or Pilot). This revision adds a third part to the Cybersecurity Pilot Program FCC Form 484, to collect annual reporting data from the Pilot’s participants. Revisions have also been made to the Cybersecurity Pilot Program FCC Form 471. The revisions in the Cybersecurity Pilot Program FCC Form 471 include adding data fields to account for tax and installation/activation/configuration costs, removing data fields that will not be collected, and making wording changes to the CIPA certifications to be consistent with Commission rules.


SUPPORTING STATEMENT


This information collection establishes requirements for the Cybersecurity Pilot Program. It requests information from applicants that will be used by the Commission to evaluate and select Pilot participants to receive funding under the Cybersecurity Pilot Program, and will be used by the Commission and the Universal Service Administrative Company (USAC or the Administrator) to reimburse schools, libraries, and consortia of schools and libraries (consortia) for the purchase of eligible cybersecurity services and equipment necessary to protect their broadband networks and data. The information collection also collects periodic data reporting and certifications from Pilot participants to evaluate performance goals and the success of the Cybersecurity Pilot Program. Additionally, the information collected helps assess the costs and benefits of utilizing universal service funds to support the cybersecurity needs of schools and libraries. See Schools and Libraries Cybersecurity Pilot Program, WC Docket No. 23-234, Report and Order, FCC 24-63, (adopted June 6, 2024) (Cybersecurity Pilot Report and Order).


A. Justification:


1. Circumstances that make the collection necessary. Sections 254(1), (c)(3), (h)(1)(B), and (h)(2) of the Communications Act of 1934, as amended (Communications Act), grant the Commission authority to specify the services that will be supported using universal service funds and to design the specific mechanisms for support. The E-Rate program (formally known as the schools and libraries universal service support mechanism) provides funding for category one services, which include services and equipment needed to support broadband connectivity to schools and libraries, and category two services, which include services and equipment needed to support broadband connectivity within the schools and libraries. Basic firewall service is the only cybersecurity service currently funded by the E-Rate program. Specifically, basic firewall service provided as part of the vendor’s Internet service is funded as a category one service, and separately-priced basic firewalls and services are funded as a category two service subject to the E-Rate applicants’ five-year category two budget. The program defines a firewall as a hardware and software combination that sits at the boundary between an organization’s network and the outside world, and protects the network against unauthorized access or intrusions. Under the E-Rate program, eligible schools, school districts, libraries, and consortia that include eligible schools and libraries may apply for discounts ranging from 20 percent to 90 percent of the pre-discount price of the eligible services and equipment. The level of discounts may change depending on the category of eligible services selected, urban/rural designation, and level of need (based on the applicant’s percentage of students participating in the National School Lunch Program (NSLP)).


Schools and libraries are increasingly targets of cyber attackers who disrupt their ability to educate, and who illegally obtain sensitive student, school staff, and library patron data, and hold the school and library broadband networks hostage to extract ransom payments. During the COVID-19 pandemic, many E-Rate stakeholders submitted petitions asking the Commission to reconsider the eligibility of advanced firewall and other network security services given the increased use of schools’ broadband networks to provide remote learning to their students.


In the Cybersecurity Pilot Program Report and Order, the Commission establishes a three-year Cybersecurity Pilot Program to ascertain whether supporting cybersecurity services and equipment with universal service support could advance the key universal service principles of providing quality Internet and broadband services to K-12 schools and libraries at just, reasonable, and affordable rates; and to ensure schools’ and libraries’ access to advanced telecommunications as provided by Congress in the Telecommunications Act of 1996.


The Cybersecurity Pilot Program is a separate program from the E-Rate program, which has long provided funding for broadband services delivered to and within schools and libraries. The Cybersecurity Pilot Program will also be separate from the Emergency Connectivity Fund (ECF) program which was an emergency program established through the American Rescue Plan Act of 2021. In the interest of efficiency and simplicity, however, the goals and measures, rules, and processes adopted for the Cybersecurity Pilot Program will leverage the Commission’s experience with the E-Rate and ECF programs, including adapting the E-Rate and ECF program forms and processes for use in the Cybersecurity Pilot Program. This method will streamline the Cybersecurity Pilot Program application and reimbursement processes for applicants, participants, and service providers; expedite the processing of applications and reimbursement requests; and lessen administrative burdens on participants and service providers participating in the Cybersecurity Pilot Program.


The Cybersecurity Pilot Program Report and Order established a bifurcated application process to limit the amount of sensitive cybersecurity information provided by applicants at the application stage and reduce the initial application burden. It also adopted Cybersecurity Pilot Program performance goals and periodic data reporting requirements designed to allow the Commission to evaluate the goals and success of the Cybersecurity Pilot Program while, to the extent possible, taking steps to minimize the burden on participants. Specifically, initial, annual, and final reporting requirements were adopted for Cybersecurity Pilot Program participants to evaluate and report on their cybersecurity readiness before beginning participation in, during, and after the Cybersecurity Pilot Program. The Cybersecurity Pilot Program Report and Order also required that the certifications be added to the periodic data reporting requirements to require Cybersecurity Pilot Program participants to certify to the accuracy of the information they reported and to define mechanisms for enforcement if they failed to meet their reporting obligations. Tracking and evaluating Cybersecurity Pilot Program participants’ cybersecurity progress over the course of the Pilot Program is essential to determine whether and how to fund schools’ and libraries’ cybersecurity needs through the E-Rate program or another universal service program on an ongoing basis.


To accomplish the goal of periodic data reporting by Cybersecurity Pilot Program participants,

the Cybersecurity Pilot Program Report and Order directs the Wireline Competition Bureau (Bureau) to detail the specific information to be provided by Cybersecurity Pilot Program participants, provide additional detail regarding the timing for the submission of the reports, and consider developing a standardized reporting form and publicizing its availability. The Cybersecurity Pilot Program Report and Order also directs the Bureau, in consultation with the FCC’s Office of Economics and Analytics, to review the initial, annual, and final reports submitted by Cybersecurity Pilot Program participants and publish one interim report during the three-year Cybersecurity Pilot Program period and a final report after the conclusion of the Pilot Program. The interim report must provide, at a minimum, a summary of the funding commitments and disbursements to-date and provide an update on progress toward the Cybersecurity Pilot Program’s performance goals. The final report must provide, at a minimum, a summary of funding disbursements, evaluate the Cybersecurity Pilot Program’s success in meeting each performance goal, and identify lessons learned.


All schools, libraries, and consortia of eligible schools and libraries interested in participating in the Cybersecurity Pilot Program submitted the first part of an application (Schools and Libraries Cybersecurity Pilot Program Application, FCC Form 484) that collected general information about how they would use the Pilot funds and provided a broad overview of their proposed Cybersecurity Pilot Program projects. Eligible entities are selected to participate in the Cybersecurity Pilot Program from the set of applicants that file the first part of the Cybersecurity Pilot Program Application, FCC Form 484. Applicants who are selected as Pilot participants will file the second part of the Cybersecurity Pilot Program Application, FCC Form 484. The second part of the application will collect a more detailed level of cybersecurity data and Pilot project information, but only from Cybersecurity Pilot Program participants. Pursuant to the Cybersecurity Pilot Program Report and Order and section 54.2004(e) of the Commission’s rules, the first and second parts of the Cybersecurity Pilot Program Application, FCC Form 484 (approved under OMB Control No. 3060-1323), will be used to establish baseline (i.e., “initial”) data reporting for Cybersecurity Pilot Program participants. As contemplated by the Cybersecurity Pilot Program Report and Order and section 54.2004(e) of the Commission’s rules, the Bureau will use the amended Cybersecurity Pilot Program Application (FCC Form 484), which combines the information from the first and second parts of the FCC Form 484 and adds new annual data reporting requirements (i.e., the third part of the FCC Form 484), to collect annual reporting data from Cybersecurity Pilot Program participants. The Cybersecurity Pilot Program Report and Order provided that Cybersecurity Pilot Program participants are required to provide the information requested on the first and second parts of the Cybersecurity Pilot Program Application, FCC Form 484, and to comply with the Commission’s periodic data reporting requirements (section 54.2004(e) of the Commission’s rules). They were also informed that they are subject to removal from the Cybersecurity Pilot Program if they refused or failed to provide the requested information. In this revision to the information collection, a third part is added to the FCC Form 484, to collect annual reporting data from the Pilot participants and require them to certify that the information they provide is true, accurate, and complete.


On January 16, 2025, the Commission selected 707 schools, libraires, and consortia of schools and libraries as participants in the Cybersecurity Pilot Program. See Wireline Competition Bureau Announces the Selection of Cybersecurity Pilot Program Participants and Provides Additional Information Regarding Program Requirements, WC Docket No. 23-234, Public Notice, DA 25-53 (WCB rel. Jan. 16, 2025).


The selected Pilot participants seek bids for their requested eligible cybersecurity services and equipment by filing the Schools and Libraries Cybersecurity Pilot FCC Form 470 (FCC Form 470 - Cybersecurity) with USAC, the current administrator of the E-Rate and ECF programs. After entering into agreements for eligible cybersecurity services and equipment, Pilot participants apply for funding by filing the Schools and Libraries Cybersecurity Pilot FCC Form 471 (FCC Form 471 - Cybersecurity) application form, including supporting documentation, with the Administrator during the application filing window(s). Pilot participants will also be required to provide certifications regarding their compliance with the Schools and Libraries Cybersecurity Pilot Program rules on these forms. FCC Form 470 – Cybersecurity and FCC Form 471 – Cybersecurity are included with this submission. The FCC Form 470 – Cybersecurity is modeled after the FCC Form 470 that is approved in information collection OMB Control No. 3060-0806. The FCC Form 471 – Cybersecurity is modeled after both the FCC Form 471 and the ECF FCC Form 471 that are approved in information collections OMB Control Nos. 3060-0806 and 3060-1286.


Upon receipt of eligible cybersecurity services or equipment, participants or service providers, must submit requests for reimbursement (Schools and Libraries Cybersecurity Pilot FCC Forms 472 and 474 (FCC Forms 472 - Cybersecurity and 474 – Cybersecurity) along with supporting invoicing documentation, to request disbursements through the Cybersecurity Pilot Program. The authorized person submitting the form will also be required to provide certifications regarding their compliance with the Schools and Libraries Cybersecurity Pilot Program. The Schools and Libraries Cybersecurity Pilot FCC Form 472 - Cybersecurity and FCC Form 474 – Cybersecurity are included with this submission. The FCC Form 472 - Cybersecurity and FCC Form 474 – Cybersecurity are modeled after both the FCC Forms 472 and 474 and the ECF FCC Forms 472 and 474 that are approved in information collections OMB Control Nos. 3060-0856 and 3060-1286.


Participants will also be able to request post-commitment changes to their FCC Form 471 - Cybersecurity funding requests by submitting the Cybersecurity Pilot Program post-commitment change request FCC Form 488 to USAC for review and approval (ECF FCC Form 488, as adapted for use in the Cybersecurity Pilot Program). Participants will be able to amend service start and end dates, reduce or cancel funding requests, substitute equipment or services, or change service providers through this process. Service providers are also allowed to submit this form to make certain changes to the funding requests as well. The Cybersecurity Pilot Program FCC Form 488 is included in this submission. The Schools and Libraries Cybersecurity Pilot FCC Form 488 is modeled on the approved information collection associated with OMB Control No. 3060-1286, ECF FCC Form 488 (using FCC Forms 471, 486, and 500) (FCC Form 488 – Cybersecurity).


Collection of the information is necessary so that the Commission and the Administrator have sufficient information to determine if entities are eligible for funding and complying with the Commission’s rules. In addition, the information is necessary for the Commission to evaluate the extent to which the Pilot is meeting the statutory objectives specified in section 254(h) of the Communications Act, as amended.


Statutory authority for this collection of information is contained in sections 1-4, 201-202, 254, 303(r), and 403 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151-154, 201-202, 254, 303(r), and 403.


This information collection includes personally identifiable information (PII) in the form of business

contact information, which will be protected in accordance with the Privacy Act.  Maintenance and

potential disclosure of the PII information is covered by the FCC-2, Business Contacts

and Certifications, System of Records Notice (SORN), posted at

https://www.fcc.gov/managingdirector/privacy-transparency/privacy-act-information.  A Privacy Act

Statement citing the FCC-2 SORN will be provided to respondents at the time the PII is collected.

SCHOOLS AND LIBRARIES CYBERSECURITY PILOT PROGRAM INFORMATION COLLECTION REQUIREMENTS


The following are the information collection requirements associated with the Schools and Libraries Cybersecurity Pilot Program:

  1. Schools and Libraries Cybersecurity Pilot Program Application (FCC Form 484) (Revised to add part three)


In order to be considered for participation in the Cybersecurity Pilot Program, eligible school, library, and consortium applicants must electronically submit the first part of an application, Schools and Libraries Cybersecurity Pilot Program FCC Form 484 (FCC Form 484), through an online system for the Cybersecurity Pilot Program. The information submitted will be used by the Commission to select Pilot participants and make preliminary funding determinations. The Wireline Competition Bureau (Bureau) will announce the opening of the Pilot Participant Selection Application Window. Eligible recipients shall submit an FCC Form 484 following the opening of the window. The Bureau shall announce those eligible applicants that have been selected to participate in the Cybersecurity Pilot Program following the close of the window.


  • Online Access for Streamlined Filing – Once information is pre-populated into the first part of the FCC Form 484, applicants will be able to check and provide corrections and updates to the information. The online portal asks for basic information about the applicant such as name, address, email address, and website information, and pre-populates these and other components of information already known about the applicant from prior submitted basic entity-related data into the online Cybersecurity Pilot Program Application form (FCC Form 484). This information comes from the applicant’s information that was pre-filed and stored in the system, minimizing the burden of collecting this basic information. Specifically, in the first part of the FCC Form 484 applicants will be asked to provide:


  • Name, entity number, FCC registration number, employer identification number, addresses, and telephone number for each school, library, and consortium member that will participate in the proposed Pilot project, including the identity of the lead site for any proposals involving consortium. (This information will be pre-populated if available.)

  • Contact information for the individual(s) who will be responsible for the management and operation of the proposed Pilot project, including name, title or position, telephone number, mailing address, and email address. (This information will be pre-populated if available.)

  • Applicant number(s) and entity type(s), including Tribal information, if applicable, and current E-Rate participation status and discount percentage, if applicable. (This information will be pre-populated if available).

  • A broad description of the proposed Pilot project, including a description of the applicant’s goals and objectives for the proposed Pilot project, a description of how Pilot funding will be used for the proposed project, and the cybersecurity risks the proposed Pilot project will prevent or address.

  • The cybersecurity equipment and services the applicant plans to request as part of its proposed project, the ability of the project to be self-sustaining once established, and whether the applicant has a cybersecurity officer or other senior-level staff member designated to be the cybersecurity officer for its Pilot project.

  • Whether the applicant has previous experience implementing cybersecurity protections or measures, how many years of prior experience the applicant has, whether the applicant has experienced a cybersecurity incident within a year of the date of its application, and information about the applicant’s participation or planned participation in cybersecurity collaboration and/or information-sharing groups.

  • Whether the applicant has implemented, or begun implementing, any U.S. Department of Education or Cybersecurity and Infrastructure Security Agency best practices recommendations, a description of any U.S. Department of Education or Cybersecurity and Infrastructure Security Agency free or low-cost cybersecurity resources that an applicant currently utilizes or plans to utilize, or an explanation of what is preventing an applicant from utilizing these available resources.

  • An estimate of the total costs for the proposed Pilot project, information about how the applicant will cover the non-discount share of costs for the Pilot-eligible services, and information about other cybersecurity funding the applicant receives, or expects to receive, from other federal, state, local, or Tribal programs or sources.

  • Whether any of the ineligible services and equipment the applicant will purchase with its own resources to support the eligible cybersecurity equipment and services it plans to purchase with Pilot funding will have any ancillary capabilities that will allow it to capture data on cybersecurity threats and attacks, any free or low-cost cybersecurity resources that the applicant will require service providers to include in their bids, and whether the applicant will require its selected service provider(s) to capture and measure cost-effectiveness and cyber awareness/readiness data.

  • A description of the applicant’s proposed metrics for the Pilot project, how they align with the applicant’s cybersecurity goals, how those metrics will be collected, and whether the applicant is prepared to share and report its cybersecurity metrics as part of the Cybersecurity Pilot Program.


In order to participate in the Cybersecurity Pilot Program, eligible school, library, and consortium applicants who are selected as Pilot participants must electronically submit the second part of the FCC Form 484 through an online system for the Cybersecurity Pilot Program. The information submitted will be used by the Commission to make more definitive funding determinations and collect baseline cybersecurity data.


  • Online Access for Streamlined Filing – Once information is pre-populated into the second part of the FCC Form 484, participants will be able to check and provide corrections and updates to the information. For the second part of the FCC Form 484, the online portal asks for the following additional (or substantially similar) cybersecurity information, as applicable:


  • Information about correcting known security flaws and conducting routine backups, developing and exercising a cyber incident response plan, and any cybersecurity changes or advancements the participant plans to make outside of the Pilot-funded services and equipment.

  • A description of the participant’s current cybersecurity posture, including how the school or library is currently managing and addressing its current cybersecurity risks through prevention and mitigation tactics.

  • Information about a participant’s planned use(s) for other federal, state, or local cybersecurity funding (i.e., funding obtained outside of the Pilot).

  • Information about a participant’s history of cybersecurity threats and attacks within a year of the date of its application; the date range of the incident; a description of the unauthorized access; a description of the impact to the school or library; a description of the vulnerabilities exploited and the techniques used to access the system; and identifying information for each actor responsible for the incident, if known.

  • A description of the specific U.S. Department of Education or Cybersecurity and Infrastructure Security Agency cybersecurity best practices recommendations that the participant has implemented or begun to implement.

  • Information about a participant’s current cybersecurity training policies and procedures, such as the frequency with which a participant trains its school and library staff and, separately, information about student cyber training sessions, and participation rates.

  • Information about any non-monetary or other challenges a participant may be facing in developing a more robust cybersecurity posture.

  • Additionally, Cybersecurity Pilot Program participants must complete the third part of the Cybersecurity Pilot Program FCC Form 484, which collects annual reporting data from the Pilot participants.

  • Participants must provide certifications along with the first, second, and third parts of their Cybersecurity Pilot Program FCC Forms 484. These certifications are required to protect the integrity of the Cybersecurity Pilot Program, and to ensure compliance with the Commission’s rules.

  1. Schools and Libraries Cybersecurity Pilot Program FCC Form 470 “Description of Services Requested and Certification” (FCC Form 470 – Cybersecurity) (No change)


  • Cybersecurity Pilot Program participants will submit a Schools and Libraries Cybersecurity Pilot Program FCC Form 470 (FCC Form 470 - Cybersecurity) to the Administrator to initiate their competitive bidding process, if not subject to a competitive bidding exemption. The FCC Form 470 - Cybersecurity shall include, at a minimum, a list of specified services and/or equipment for which the school, library, or consortium requests bids and sufficient information to enable bidders to reasonably determine the needs of the participant and provide responsive bids. The FCC Form 470 - Cybersecurity will be submitted electronically through the Cybersecurity Pilot Program online system and available information in the portal will be migrated to the FCC Form 470 - Cybersecurity to lessen the administrative burden on the participant. The Cybersecurity Pilot Program FCC Form 470 - Cybersecurity relies on the data that is collected on the E-Rate FCC Form 470 (approved under OMB Control Number 3060-0806).


  • Participants must provide certifications along with their Cybersecurity Pilot Program FCC Form 470 - Cybersecurity. These certifications are required to protect the integrity of the Cybersecurity Pilot Program and to ensure compliance with the Commission’s rules.


  • USAC will post each certified Cybersecurity Pilot Program FCC Form 470 - Cybersecurity on its website and send confirmation of the posting to the participant requesting services and/or equipment. Participants must wait at least 28 days from the date on which its description of services and/or equipment is posted on the USAC’s website before entering into contracts and agreements with the selected providers of services and/or equipment. The confirmation from USAC will include the date after which the Cybersecurity Pilot Program participant may select its service provider(s) and sign a contract with its chosen provider(s).


  1. Schools and Libraries Cybersecurity Pilot Program FCC Form 471 “Services Ordered and Certification” (FCC Form 471 – Cybersecurity) (Revisions to data fields and certifications).

For the Cybersecurity Pilot Program, participants will file a Cybersecurity Pilot Program FCC Form 471 (FCC Form 471 - Cybersecurity) to notify USAC of the services and/or equipment that have been or will be purchased, the service provider(s) with whom the participant has entered into an agreement, and an estimate of the funds needed to reimburse the costs of the eligible services and equipment through the Cybersecurity Pilot Program.

  • Online Access for Streamlined FilingOnce information is prepopulated into the FCC Form 471- Cybersecurity, participants will be able to check and provide corrections and updates to the information. The online portal asks for basic information about the participant such as name, telephone number, address, email address, and website information, and pre-populates these and other components of information already known about the participant from previously submitted data that will be migrated to the online FCC Form 471- Cybersecurity. This information comes from the participant’s profile information that was pre-filed and stored in the system, minimizing the burden of collecting this basic information. The portal may also ask other questions related to the FCC Form 471 as the participant completes and submits the online Cybersecurity Pilot Program FCC Form 471- Cybersecurity. The Cybersecurity Pilot Program FCC Form 471- Cybersecurity relies on the data that is collected on both the E-Rate FCC Form 471 (approved under OMB Control Number 3060-0806) and the ECF FCC Form 471 (approved under OMB Control No. 3060-1286). Access to the portal and pre-population of data is expected to expedite the FCC Form 471- Cybersecurity filing process for participants to request Cybersecurity Pilot Program support for eligible services and equipment to support the program goals of: (1) improving the security and protection of E-Rate-funded broadband networks and data; (2) measuring the costs associated with cybersecurity services and equipment, and the amount of funding needed to adequately meet the demand for these services if extended to all E-Rate participants; and (3) evaluating how to leverage other federal K-12 cybersecurity tools and resources to help schools and libraries effectively address their cybersecurity needs.

  • Customized ApplicationsIn general, the FCC Form 471- Cybersecurity is customized to the type of participant and/or the type of selections made during the filing process.

  • Integrated Instructions – Guidance for filling out the form is integrated into the online system to provide filers a roadmap to complete the FCC Form 471- Cybersecurity. Wherever applicable and possible, filers will be provided explanatory text regarding the selections they choose during filing, and additional text to remind them where they may have to provide additional information or meet special requirements.

  • Requesting ServicesIn addition to information previously asked of participants to request funding for services and equipment in this collection, participants may need to supply additional information and documentation to enable USAC and the Commission to determine if the participant is compliant with the Cybersecurity Pilot Program rules and the requested services and equipment are eligible for support.

  • Other Documentation Requirements Schools, libraries, and consortia are required to maintain inventories of services and equipment purchased or reimbursed through the Cybersecurity Pilot Program. All eligible schools, libraries, and consortia that choose to participate may be required to collect and submit data as part of the funding request process, at regular intervals during the Cybersecurity Pilot Program, and at the end of the Pilot. The collection of this information, which may go beyond that provided in the Cybersecurity Pilot Program FCC Forms 484 and 471- Cybersecurity, is necessary to evaluate the impact of the Pilot, including whether the Pilot achieves its goals. This includes the proposed evaluation process, as well as annual and final progress reports detailing the use of funds and effectiveness of the Cybersecurity Pilot Program.

  • Streamlined Communications Once an FCC Form 471- Cybersecurity has been filed, filers receive a notice through the user online portal to confirm receipt.

  • The Commission’s rules require participants to certify on the Cybersecurity Pilot Program FCC Form 471 – Cybersecurity their compliance with the requirements for the Cybersecurity Pilot Program (47 C.F.R. § 54.2006(a)(2)(i)-(xvi)). These certifications are required to protect the integrity of the Cybersecurity Pilot Program, and to ensure compliance with the Commission’s rules.

  1. Schools and Libraries Cybersecurity Pilot Program FCC Form 472/474 “Request for Reimbursement” (FCC Form 472/474 – Cybersecurity) (No change)


  • For the Cybersecurity Pilot Program, participants and/or service providers will submit a Cybersecurity Pilot Program Request for Reimbursement Form (Request for Reimbursement or FCC Form 472/474 - Cybersecurity) to receive disbursements from the Program. Much of the requested information will be pre-populated through the online portal. USAC will review and approve the requests for reimbursement. The Cybersecurity Pilot Program Request for Reimbursement relies on the data that is collected on both the E-Rate FCC Form 472 and FCC Form 474 (approved under OMB Control Number 3060-0856) and the ECF FCC Form 472/474 (approved under OMB Control No. 3060-1286), including information about the amount paid for approved services delivered on or after the actual service start date and approved services and equipment, as reported on the FCC Form 471- Cybersecurity.


  • Participants and/or service providers will also be required to provide invoices and other supporting documentation for the services and equipment that are included in the Cybersecurity Pilot Program Request for Reimbursement. This requirement will help to ensure that the Cybersecurity Pilot Program is being used as intended and will protect the integrity of the Cybersecurity Pilot Program.


  • Participants and/or service providers must provide certifications along with their Cybersecurity Pilot Program Requests for Reimbursement. (47 C.F.R. § 54.2008(a)(1)(i)-(xiii); § 54.2008(a)(2)(i)-(xiii)). These certifications are required to protect the integrity of the Cybersecurity Pilot Program, and to ensure compliance with the Commission’s rules.


  • Participants and/or service providers will receive electronic notifications as to the status of their Cybersecurity Pilot Program Requests for Reimbursement.


  1. Schools and Libraries Cybersecurity Pilot Program FCC Form 488 “Post-Commitment Change Request” (based on ECF FCC Form 488) (FCC Form 488 – Cybersecurity) (No change)


  • After USAC reviews the funding request and commitments are issued to fund the eligible services and equipment requested in the Cybersecurity Pilot Program FCC Form 471- Cybersecurity, participants may make adjustments to previously filed FCC Forms 471 - Cybersecurity, such as changing the service start date or service end date, cancelling or reducing the amount of a funding request approved, requesting a service or equipment substitution and requesting a service provider change. Service providers are also allowed to make certain post-commitment changes to their FCC Form 471- Cybersecurity funding requests. (See 47 C.F.R. § 54.2006(b) (allowing participants to submit service substitutions for approval by USAC)). This Cybersecurity Pilot Program Post-Commitment Change Request (FCC Form 488 – Cybersecurity) can be used by participants to make these necessary changes to their previously approved and committed Cybersecurity Pilot FCC Forms 471- Cybersecurity. The change request for use in the Cybersecurity Pilot Program is included in this submission. This change request is based on the approved information collection for the ECF FCC Form 488, OMB Control No. 3060-1286 to create a streamlined process for making post-commitment changes in the Cybersecurity Pilot Program. The participant or service provider will request these changes by logging into the online portal, making changes to the selected Cybersecurity Pilot Program FCC Form 471- Cybersecurity, and then re-certifying the requested changes to the selected FCC Form 471- Cybersecurity in the online portal. See, e.g., 47 C.F.R. § 54.2006(b) (allowing service and equipment substitutions).1


  1. Recordkeeping, Reporting, and Audits (Revised to update annual reporting requirement).


All participants will be required to submit initial and annual reports, followed by a final report at the completion of the Pilot Program. (47 C.F.R. § 54.2004(e)(1)). The annual data will be collected through part 3 of the Schools and Libraries Cybersecurity Pilot Program Application, FCC Form 484. All participants in the Cybersecurity Pilot Program will also be required to retain all documentation accumulated during the Pilot for at least ten (10) years from the last date of service or delivery of equipment. All Cybersecurity Pilot Program participants shall maintain asset and inventory records of services and equipment purchased sufficient to verify the actual location of such services and equipment for a period of 10 years after purchase. All participants in the Cybersecurity Pilot Program will produce these records upon request of any representative (including any auditor) appointed by a state education department, USAC, the Commission and its Office of Inspector General, or any local, state, or federal agency with jurisdiction over the entity. Cybersecurity Pilot Program participants may also be subject to compliance audits to ensure they are complying with Cybersecurity Pilot Program rules and certification requirements. (47 C.F.R. §§ 54.2009(a)-(b), 54.2010(a)-(b)).


2. Use of information. The information collected is designed to obtain information from applicants and service providers that will be used by the Commission and/or USAC to evaluate the applications and select participants to receive funding under the Cybersecurity Pilot Program, and make funding determinations and disburse funding in compliance with applicable federal laws for payments made through the Cybersecurity Pilot Program. The Commission started accepting applications to participate in the Cybersecurity Pilot Program after publication of its Cybersecurity Pilot Program Report and Order and notice of OMB approval of the Cybersecurity Pilot Program information collection in the Federal Register. This revision adds a third part to the Schools and Libraries Cybersecurity Pilot Program Application, FCC Form 484, which is necessary so that the Commission has sufficient information to evaluate whether the Cybersecurity Pilot Program performance goals and periodic data reporting requirements set forth in the Cybersecurity Pilot Program Report and Order are being met. It is also necessary to help assess the costs and benefits of using the limited universal service funds to support the cybersecurity needs of K-12 schools and libraries. Finally, it is necessary to evaluate the extent to which the Cybersecurity Pilot Program is meeting the statutory objectives specified in section 254(h) of the Communications Act, as amended.


3. Use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology. In an effort to reduce any burden created by the information collection requirements, respondents will be required to submit their applications and forms, including their initial, annual, and final Schools and Libraries Cybersecurity Pilot Program Application, FCC Forms 484, electronically through an online portal on the USAC website. The online data collections do not, in non-material respects, exactly resemble the representation or template of the form charts included with this submission. The online interface will permit applicants, participants, and service providers to input data in required fields and auto-populate data where applicable, reducing their filing burden.


4. Efforts to identify duplication. There will be no duplication of information. The information sought is unique to each applicant, participant, or service provider and similar information is not already available. To the extent some information is already available through the E-Rate and ECF portals, it will be migrated into the Cybersecurity Pilot Program online portal.


5. Impact on small entities. Entities directly subject to the requirements in this information collection are primarily schools, libraries, school districts, and consortia thereof. This information collection is designed to impose the least possible burden on the respondents while ensuring that the Commission and USAC have the information necessary to evaluate applications for the Cybersecurity Pilot Program, select participants for the program to receive funding, evaluate participants’ and service providers’ requests for reimbursement, evaluate whether the Cybersecurity Pilot Program performance goals and periodic data reporting requirements are being met, assess the costs and benefits of using the universal service funds to support the cybersecurity needs of K-12 schools and libraries, and evaluate the extent to which the Cybersecurity Pilot Program is meeting the statutory objectives specified in section 254(h) of the Communications Act, as amended. Specifically, the Commission has limited the information requirements to those necessary for the purposes for which the information will be used.


6. Consequences if information is not collected. The information collected will be used to evaluate applications, make Pilot participant selections, issue funding commitments and disbursements, evaluate whether the Cybersecurity Pilot Program performance goals and periodic data reporting requirements are being met, assess the costs and benefits of using the universal service funds to support the cybersecurity needs of K-12 schools and libraries, and evaluate the extent to which the Cybersecurity Pilot Program is meeting the statutory objectives specified in section 254(h) of the Communications Act, as amended. Without the requested information, the Commission will not be able to assess applicant eligibility, the extent to which funds are properly used, or conduct the necessary evaluations for the Cybersecurity Pilot Program.


7. Special circumstances. There are no special circumstances associated with this information collection.


8. Federal Register notice; efforts to consult with persons outside the Commission. The Commission published a Federal Register Notice on April 15, 2025, 90 FR 15713, seeking comments on the revised information collection.


9. Payments or gifts to respondents. The Commission does not anticipate providing any payment or gifts to respondents.


  1. Assurances of confidentiality. The funding recipient’s name, address, unique entity identifier (UEI) number, and business type will be disclosed in accordance with the Federal Funding Accountability and Transparency Act/Digital Accountability and Transparency Act (FFATA/DATA) reporting requirements. Commitment and disbursement information also will be made public. We intend to keep other information private to the extent permitted by law. Further, sensitive cybersecurity information contained in the Schools and Libraries Cybersecurity Pilot Program Application (FCC Form 484), as well as information provided in Pilot participants’ initial, annual, and final reports will be presumptively confidential and withheld from routine public inspection; however, we do plan to use aggregated, anonymized, and/or non-specific school or library data as a tool to evaluate the success and impact of the Pilot, including whether and how to fund schools’ and libraries’ cybersecurity needs through the E-Rate program or another universal service program on an ongoing basis.


  1. Questions of a sensitive nature. We recognize that FCC Form 484 applications could contain sensitive information. As such, the USAC cybersecurity platform that applicants, and participants once selected for the Pilot, will use to submit their FCC Form 484 applications will be a closed system that can only be accessed by the applicant or participant, or persons designated by the applicant or participant, USAC, and the FCC. Applicants and participants will not be able to view each other’s FCC Form 484 applications and the sensitive cybersecurity information on the FCC Form 484 data will not be made available to the public. However, the other Pilot form data, FCC Forms 470, 471, and 472/474 data, may be publicly available as federal funding is being provided to the Pilot participants, and the public data may include the name of the Pilot participant, services and equipment requested, names of service providers, and the amount of Pilot funding committed and disbursed. To address those concerns, the Cybersecurity Pilot Program Report and Order directs Commission and USAC staff to abide by all applicable federal and state laws in carrying out the Pilot and any audits of the program and treat information provided as presumptively confidential.


This information collection includes personally identifiable information (PII) in the form of business

contact information, which will be protected in accordance with the Privacy Act.  Maintenance and

potential disclosure of the PII information is covered by the FCC-2, Business Contacts

and Certifications, System of Records Notice (SORN), posted at

https://www.fcc.gov/managingdirector/privacy-transparency/privacy-act-information.  A Privacy Act

Statement citing the FCC-2 SORN will be provided to respondents at the time the PII is collected.

12.  Estimates of the hour burden of the collection to respondents. The following represents the  

hour burden on the collection of information: 

a. Submission of Schools and Libraries Cybersecurity Pilot Program FCC Form 484 “Application”.  (Revised to include third part of application to collect annual reporting data from participants. Updated to account for the actual number of applicants and participants in the Pilot Program. Updated Mean Hourly Wage)

(1) Number of respondents:  3,500 (Approximately 2,500 respondents for first part of application.  Approximately 1,000 respondents for each of the second and third parts of application.) 

(2) Frequency of response: Once (for first and second parts of the application). Annually for the third part of the application.)

(3) Total number of responses per respondent:  1.86 

(4) Hourly burden per respondent: 14  

14 hours (to fill out the form to comply with reporting requirements)

(5) Total annual burden:  91,140

3,500 (number of respondents) x 1.86 (estimated number of submissions) x 14 hours = 91,140

(6) Total estimate of in-house cost to respondents:  $3,872,539

(7) Explanation of Calculation:  We estimate that: 


    1. It will take approximately 14 hours to fill out the FCC Form 484 for the reporting requirements (3,500 respondents x 14 hours x 1.86 Form = 91,140).   


    1. Approximately 3,500 respondents will spend approximately 14 hours to comply with requirements preparing and submitting the FCC Form 484 at a cost of $42.49 per hour. 

91,140 hours x $42.49/hour = $3,872,539 cost for the reporting requirements 

Summary of Estimated Total Annual Burden Hours for FCC Form 484. 

Total Number of Respondents: 3,500

Total Number of Reponses:  6,510

Total Annual Hourly Burden:  91,140 hours

91,140 hours for reporting requirements.

b. Submission of Schools and Libraries Cybersecurity Pilot Program FCC Form 470 - “Description of Services Requested and Certification” (FCC Form 470 – Cybersecurity). (Updated with actual number of Pilot participants. Updated Mean Hourly Wage)

(1) Number of respondents:  approximately 1,000 

(2) Frequency of response:  Once. 

(3) Total number of responses per respondent:  1 

(4) Hourly burden per respondent: 3  

3 hours (to fill out the form to comply with reporting requirement). 

(5) Total annual burden

1,000 (number of respondents) x 1 (estimated number of submissions) x 3 hours = 3,000 

(6) Total estimate of in-house cost to respondents:  $127,470

  1. Explanation of calculation:  We estimate that: 


    1. It will take approximately 3 hours to fill out the FCC Form 470 - Cybersecurity for the reporting requirements (1,000 respondents x 3 hours x 1 Form = 3,000).   


    1. Approximately 1,000 respondents will spend approximately 3 hours to comply with requirements preparing and submitting the FCC Form 470 - Cybersecurity at a cost of $42.49 per hour. 


3,000 hours x $42.49/hour = $127,470 cost for the reporting requirements 

Summary of Estimated Total Annual Burden Hours for FCC Form 470 - Cybersecurity: 

Total Number of Respondents:  1,000 respondents

Total Number of Reponses:  1,000 responses 

Total Annual Hourly Burden:  3,000 hours 

3,000 hours for reporting requirements 

c) Submission of Schools and Libraries Cybersecurity Pilot Program FCC Form 471 - “Services Ordered and Certification” (FCC Form 471 – Cybersecurity). (Updated with actual number of Pilot participants. Updated Mean Hourly Wage) 

(1) Number of respondents:  approximately 1,000 

(2) Frequency of response:  Once. 

(3) Total number of responses per respondent:  1.7 

(4) Hourly burden per respondent: 4  

4 hours (to fill out the form to comply with reporting requirement)

(5) Total annual burden

1,000 (number of respondents) x 1.7 (estimated number of submissions) x 4 hours = 6,800

(6) Total estimate of in-house cost to respondents:  $288,932

(7) Explanation of calculation:  We estimate that: 

    1. It will take approximately 4 hours to fill out the FCC Form 471- Cybersecurity for the reporting requirements (1,000 respondents x 4 hours x 1.7 Forms = 6,800).   


    1. Approximately 1,000 respondents will spend approximately 4 hours to comply with requirements preparing and submitting the FCC Form 471- Cybersecurity at a cost of $42.49 per hour).

6,800 hours x $42.49/hour = $288,932 cost for the reporting requirement. 

Summary of Estimated Total Annual Burden Hours for FCC Form 471 - Cybersecurity: 

Total Number of Respondents:  1,000 respondents

Total Number of Responses:  1,700 responses

Total Annual Hourly Burden:  6,800

6,800 hours for reporting requirements. 

d. Submission of Schools and Libraries Cybersecurity Pilot Program Request for Reimbursement (FCC Form 472/FCC Form 474 - Cybersecurity). (Updated with actual number of Pilot participants. Updated Mean Hourly Wage) 

(1) Number of respondents:  Approximately 1,000 respondents. 

(2) Frequency of response:  On occasion.   

(3) Total number of responses per respondent:  4 

(4) Hourly burden per respondent:  1

1 hour (to fill out the form to comply with reporting requirement)

(5) Total annual burden: 4,000


1,000 (number of respondents) x 4 (estimated number of submissions) x 1 hours = 4,000 

(6) Total estimate of in-house cost to respondents for the hour burdens for collection of information:  $169,960

(7) Estimate of Calculation:  We estimate that: 


  1. It will take approximately 1 hour to fill out the FCC Form 472/474 - Cybersecurity for the reporting requirement (1,000 respondents x 1 hour x 4 Forms = 4,000).


  1. Approximately 1,000 respondents will spend approximately 1 hour to comply with requirements preparing the FCC Forms 472/474 - Cybersecurity at a cost of $42.49 per hour.

4,000 hours x $42.49hour = $169,960 cost for reporting requirements. 

Summary of Estimated Total Annual Burden Hours for FCC Form 472/474 - Cybersecurity:  

Total Number of Respondents:  1,000 respondents. 

Total Number of Responses:  4,000 (1,000 respondents x 4 Forms = 4,000)  

Total Annual Hourly Burden:  (1,000 respondents x 4 Form submissions x 1 hours)  = 4,000

4,000 hours for reporting requirements. 

e. Submission of Schools and Libraries Cybersecurity Pilot Program Post-Commitment Change Request Form (streamlined information collection based on the ECF Change Request Form (using FCC Forms 471/486/500/) for use in the Cybersecurity Pilot Program) (FCC Form 488 – Cybersecurity). (Updated Mean Hourly Wage)

(1) Number of respondents: Approximately 1,000 respondents.

(2) Frequency of response: On occasion.

(3) Total number of responses per respondent: 1

(4) Hourly burden per respondent: 1 hour (to fill out the form to comply with reporting requirement)

(5) Total annual burden: = 1,000

1,000 (number of respondents) x 1 (estimated number of submissions) x 1 hour = 1,000

(6) Total estimate of in-house cost to respondents: $42,490

(7) Explanation of calculation: We estimate that:

(a) It will take approximately 1 hour to provide data for the FCC Form 488 - Cybersecurity for the reporting requirements (1,000 respondents x 1 hour x 1 Form = 1,000).

(b) Approximately 1,000 respondents will spend approximately 1 hour to comply with requirements preparing the FCC Form 488 - Cybersecurity at a cost of $42.49 per hour.

1,000 hours x $42.49/hour = $42,490 cost for reporting requirements.

Summary of Estimated Total Annual Burden Hours for FCC Form 488 - Cybersecurity:

Total Number of Respondents: 1,000 respondents

Total Number of Responses: 1,000 (1,000 respondents x 1 Form = 1,000)

Total Annual Hourly Burden: 1,000 (1,000 respondents x 1 Form submission x 1 hours)

1,000 hours for reporting requirements.

f. Submission of Schools and Libraries Cybersecurity Pilot Program Recordkeeping. (Updated to account for the actual number of applicants and participants in the Pilot Program. Updated Mean Hourly Wage)

(1) Number of respondents:  approximately 3,500 

(2) Frequency of response:  Annual recordkeeping requirement.

(3) Total number of responses per respondent:  1 

(4) Hourly burden per respondent: 4.50  

4.5 hours (to comply with recordkeeping requirements). 

(5) Total annual burden

3,500 (number of respondents) x 1 (estimated number of submissions) x 4.50 hours = 15,750

(6) Total estimate of in-house cost to respondents:  $669,218

(7) Explanation of calculation:  We estimate that: 


(a) Approximately 3,500 respondents will spend approximately 4.50 hours to comply with the ten-year recordkeeping requirement at a cost of $42.49 per hour. 


(b) 15,750 hours x $42.49/hour = $669,218 cost for the recordkeeping requirements. 

Summary of Estimated Total Annual Burden Hours for FCC Recordkeeping Requirements: 

Total Number of Respondents:  3,500 respondents

Total Number of Reponses:  3,500 responses 

Total Annual Hourly Burden:  15,750 hours 

15,750 hours for recordkeeping requirements. 

The estimated respondents, responses, and burden hours are listed below:  



Information Collection Requirements 

Number of Respondents 

Total Number of Responses 

Hourly Burden Per Response 

Total Annual Hourly Burden 

Total In-House Cost to the Respondents 

  1. Schools and Libraries Cybersecurity Pilot Program FCC Form 484

3,500 

6,510

14 

91,140 

$3,872,539 

  1. Schools and Libraries Cybersecurity Pilot Program FCC Form 470 - Cybersecurity

1,000 

1,000 

3,000

$127,470

  1. Schools and Libraries Cybersecurity Pilot Program FCC Form 471 – Cybersecurity

1,000 

1,700 

4

6,800 

$288,932

  1. Schools and Libraries Cybersecurity Pilot Program FCC Forms 472/474 - Cybersecurity 

1,000 

4,000

1

4,000 

$169,960

  1. Schools and Libraries Cybersecurity Pilot Program FCC Form 488 - Cybersecurity

1,000

1,000

1

1,000

$42,490

  1. Schools and Libraries Cybersecurity Pilot Program Recordkeeping

3,500

3,500

4.5

15,750

$669,218

Grand Total 

3,500 unique respondents`

17,710

27.5

121,690

$5,170,609

13.  Total Annual Costs to Respondents.  There are no outside contracting costs for this information collection.  See the total in item 12 above for the estimated in-house costs to respondents. 

14.  Estimates of the Cost Burden to the Commission.  There will be few, if any, additional costs to the Commission because notice, enforcement, and policy analysis associated with the Universal Service Fund are already part of the Commission’s duties.  Moreover, there will be minimal cost to the Federal government because a third party, USAC, administers the Universal Ser vice Fund and support mechanisms. 

15. Program Changes or Adjustments. The Commission is reporting program changes and adjustments to this information collection. The Commission added a third part to FCC Form 484 for participants (selected from the applicants that submitted the first part of FCC Form 484) in the Pilot Program. Adding the third part to FCC Form 484 decreased the number of respondents. In addition, we revised language to the certifications in FCC Form 471. There are no changes to the burden hours for completing FCC Form 471 since the program change only included revising the certification language.


The Commission makes the following program changes:

(a) the total number of annual respondents has increased by +1,000, from 2,500 to 3,500 annual number of respondents;

(b) the total number of annual responses has decreased by -198,240, from 215,950 to 17,710 annual number of responses; and

(c) the total number of annual hours has decreased by -716,860, from 838,550 to 121,690 annual number of hours; and


The Commission has re-evaluated the existing burdens associated with this information collection since the last time this information collection was reviewed and approved by OMB. In this submission, there is a change in the number of respondents because the actual number of respondents that applied to participate in the Cybersecurity Pilot Program and submitted the first part of the Cybersecurity Pilot Program FCC Form 484 was significantly smaller than the estimated number of Cybersecurity Pilot Program participants that were estimated to apply for the Pilot Program. The change in the number of responses also takes into account the annual reporting data that needs to be collected from Cybersecurity Pilot Program participants.


The Commission makes the following adjustments:

(a) the total number of annual respondents has decreased by -20,500, from 23,000 to 2,500 annual number of respondents;

(b) the total number of responses has increased by +14,850, from 201,100 to 215,950 annual number of responses;

(c) the total number of annual hours has increased by +94,650, from 743,900 to 838,550 annual number of hours.

16. Collections of information whose results will be published. The Commission will publish the selected participants for the Cybersecurity Pilot Program and may publish funding request (FCC Form 471 - Cybersecurity) and funding disbursement (FCC Forms 472/474 - Cybersecurity) data. At this time, the Commission has no plans to publish data collected for statistical use or other reports. However, the Commission may publish such data in the future, to the extent that the data’s confidentiality is not protected under law, in the course of carrying out the Commission’s policymaking responsibilities.



17. Display the expiration date for OMB approval of the information collection. The Commission seeks

approval to not display the expiration date for OMB approval of this information collection. OMB approval of the expiration date of the information collection will be displayed on OMB’s website.


  1. Exceptions to certification statement for Paperwork Reduction Act Submissions. There are no exceptions to the Certification Statement.


B. Collections of Information Employing Statistical Methods:


The Commission does not anticipate that the collection of information will employ statistical methods.

1 Cybersecurity Pilot Program Report and Order at Appendix A.

14


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title3060-0806
AuthorSHAIR
File Modified0000-00-00
File Created2025-07-01

© 2025 OMB.report | Privacy Policy