Wireline Competition Bureau Seeks Comment on Requests To Allow the Use of E-Rate Funds for Advanced or Next-Generation Firewalls and Other Network Security Services

Issuing agencies

Abstract

In this document, the Wireline Competition Bureau (the Bureau) seeks comment on petitions seeking permission to use E-Rate program funds to support advanced or next-generation firewalls and services, as well as the related funding year 2023 ESL proceeding filings. In so doing, the Bureau highlights four filings that together cover the requests and issues raised by the filers listed in this document.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 4 (Friday, January 6, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 4 (Friday, January 6, 2023)]
[Proposed Rules]
[Pages 1035-1037]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-28657]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 54

[WC Docket No. 13-184; DA 22-1315; FR ID 121590]


Wireline Competition Bureau Seeks Comment on Requests To Allow 
the Use of E-Rate Funds for Advanced or Next-Generation Firewalls and 
Other Network Security Services

AGENCY: Federal Communications Commission.

ACTION: Proposed action.

-----------------------------------------------------------------------

SUMMARY: In this document, the Wireline Competition Bureau (the Bureau) 
seeks comment on petitions seeking permission to use E-Rate program 
funds to support advanced or next-generation firewalls and services, as 
well as the related funding year 2023 ESL proceeding filings. In so 
doing, the Bureau highlights four filings that together cover the 
requests and issues raised by the filers listed in this document.

DATES: Comments are due February 13, 2023 and reply comments are due 
March 30, 2023.

ADDRESSES: Pursuant to Sec. Sec.  1.415 and 1.419 of the Federal 
Communications Commission's (Commission's) rules, 47 CFR 1.415, 1.419, 
interested parties may file comments on or before February 13, 2023, 
and reply comments on or before March 30, 2023. All filings should 
refer to WC Docket No. 13-184. Comments may be filed by paper or by 
using the Commission's Electronic Comment Filing System (ECFS). See 
Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121 
(1998).
    [ssquf] Electronic Filers: Comments and replies may be filed 
electronically using the internet by accessing ECFS: <a href="http://www.fcc.gov/ecfs">http://www.fcc.gov/ecfs</a>.
    [ssquf] Paper Filers: Parties who choose to file by paper must file 
an original and one copy of each filing. If more than one docket or 
rulemaking number appears in the caption of this proceeding, filers 
must submit two additional copies for each additional docket or 
rulemaking number.
    [ssquf] Filings can be sent by commercial overnight courier or by 
first-class or overnight U.S. Postal Service mail. Filings must be 
addressed to the Commission's Secretary, Office of the Secretary, 
Federal Communications Commission.
    [ssquf] Commercial overnight mail (other than U.S. Postal Service 
Express Mail and Priority Mail) must be sent to 9050 Junction Drive, 
Annapolis Junction, MD 20701.
    [ssquf] U.S. Postal Service first-class, Express, and Priority mail 
must be addressed to 45 L St. NE, Washington, DC 20554.
    [ssquf] Effective March 19, 2020, and until further notice, the 
Commission no longer accepts any hand or messenger delivered filings. 
This is a temporary measure taken to help protect the health and safety 
of individuals, and to mitigate the transmission of COVID-19 (see FCC 
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, DA 20-304 (March 19, 2020)) <a href="https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy">https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy</a>.

FOR FURTHER INFORMATION CONTACT: Joseph Schlingbaum, Wireline 
Competition Bureau, (202) 418-7400 or by email at 
<a href="/cdn-cgi/l/email-protection#5a1035293f2a32740939323633343d383b2f371a3c3939743d352c"><span class="__cf_email__" data-cfemail="1f55706c7a6f77314c7c77737671787d7e6a725f797c7c31787069">[email&#160;protected]</span></a>. The Commission asks that requests for 
accommodations be made as soon as possible in order to allow the agency 
to satisfy such requests whenever possible. Send an email to 
<a href="/cdn-cgi/l/email-protection#5e383d3d6b6e6a1e383d3d70393128"><span class="__cf_email__" data-cfemail="caaca9a9fffafe8aaca9a9e4ada5bc">[email&#160;protected]</span></a> or call the Consumer and Governmental Affairs Bureau at 
(202) 418-0530.

SUPPLEMENTARY INFORMATION: This is a summary of the Bureau's Public 
Notice (Notice) in WC Docket No. 13-184; DA 22-1315, released on 
December 14, 2022. Due to the COVID-19 pandemic, the Commission's 
headquarters will be closed to the general public until further notice. 
The full text of this document is available at the following internet 
address: <a href="https://www.fcc.gov/document/fcc-seeks-comment-using-e-rate-funding-support-remote-learning">https://www.fcc.gov/document/fcc-seeks-comment-using-e-rate-funding-support-remote-learning</a>.
    Proceedings in this Notice shall be treated as a ``permit-but-
disclose'' proceeding in accordance with the Commission's ex parte 
rules. Persons making ex parte presentations must file a copy of any 
written presentation or a memorandum summarizing any oral presentation 
within two business days after the presentation (unless a different 
deadline applicable to the Sunshine period applies). Persons making 
oral ex parte presentations are reminded that memoranda summarizing the 
presentation must list all persons attending or otherwise participating 
in the meeting at which the ex parte presentation was made, and 
summarize all data presented and arguments made during the 
presentation. If the presentation consisted in whole or in part of the 
presentation of data or arguments already reflected in the presenter's 
written comments, memoranda or other filings in the proceeding, the 
presenter may provide citations to such data or arguments in

[[Page 1036]]

his or her prior comments, memoranda, or other filings (specifying the 
relevant page and/or paragraph numbers where such data or arguments can 
be found) in lieu of summarizing them in the memorandum. Documents 
shown or given to Commission staff during ex parte meetings are deemed 
to be written ex parte presentations and must be filed consistent with 
rule Sec.  1.1206(b). In proceedings governed by rule Sec.  1.49(f) or 
for which the Commission has made available a method of electronic 
filing, written ex parte presentations and memoranda summarizing oral 
ex parte presentations, and all attachments thereto, must be filed 
through the electronic comment filing system available for that 
proceeding, and must be filed in their native format (e.g., .doc, .xml, 
.ppt, searchable .pdf). Participants in these proceedings should 
familiarize themselves with the Commission's ex parte rules.
    1. The Commission has received several petitions and requests from 
E-Rate stakeholders through the annual E-Rate eligible services list 
(ESL) proceedings, asking that the Commission permit the use of E-Rate 
program funds to support advanced or next-generation firewalls and 
services, as well as other network security services. By this Notice, 
the Bureau seeks comment on these petitions as well as the related 
funding year 2023 ESL proceeding filings. In so doing, the Bureau 
highlights four filings in the following that together cover the 
requests and issues raised by the filers listed in the following: (1) a 
petition for waiver filed by Cisco Systems, Inc. (Cisco); (2) a 
petition for declaratory ruling and petition for rulemaking filed by a 
coalition led by the Consortium for School Networking (CoSN); (3) a 
proposed three-year E-Rate cybersecurity pilot program by Funds for 
Learning (FFL); and (4) a letter from 20 national educational groups 
led by AASA, The School Superintendents Association (AASA).
    2. The Petitions and ESL Filings. During the COVID-19 pandemic, 
several E-Rate stakeholders submitted petitions asking the Commission 
to reconsider the eligibility of advanced firewall and network security 
services given the increased use of schools' broadband networks to 
provide remote learning to their students. On August 20, 2020, Cisco 
submitted a Petition for Waiver asking that Commission raise 
applicants' Category Two budgets by 10% and allow Category Two funding 
to be used for advanced network security services during the COVID-19 
pandemic (i.e., for funding years 2020 and 2021). On February 8, 2021, 
the Commission received a petition for declaratory ruling and petition 
for rulemaking from a group of E-Rate program stakeholders (including 
CoSN, Alliance for Excellence in Education, State Educational 
Technology Directors Association (SETDA), Council of the Great City 
Schools, State E-Rate Coordinators' Alliance (SECA), and Schools, 
Health & Libraries Broadband (SHLB) Coalition) (collectively, 
Petitioners) requesting that the definition of ``firewall'' be modified 
to include all firewall and related features (e.g., next generation 
firewall protection, endpoint protection, and advanced security) and to 
update the definition of broadband to include cybersecurity. CoSN, 
along with FFL, provided a study and the costs associated with adding 
advanced firewall and other network security services to the E-Rate 
program and estimated that it would cost the program about $2.389 
billion annually to fund these advanced network security services for 
all K-12 schools. The Petitioners also asked the Commission to increase 
the current Category Two budgets to include additional funding for 
advanced firewall and other network security services.
    3. In October 2021, the President signed the K-12 Cybersecurity Act 
of 2021, which directed the U.S. Department of Homeland Security to 
conduct a study of K-12 cybersecurity risks that addresses the specific 
risks that impact K-12 educations institutions; evaluates cybersecurity 
challenges K-12 educational institutions face; and identifies 
cybersecurity challenges related to remote learning. The Bureau 
declined to expand the eligibility of advanced firewalls and services 
or add additional network security services for funding year 2022, 
explaining that ``this legislation and forthcoming report will provide 
invaluable insights into what cybersecurity services will be most 
impactful for K-12 educational institutions.''
    4. As part of the funding year 2023 ESL proceeding, a diverse group 
of E-Rate stakeholders submitted comments, reply comments, and ex parte 
submissions requesting that the Commission reconsider its earlier 
eligibility decisions and clarify that advanced or next-generation 
firewalls and services are eligible for E-Rate support. As part of this 
proceeding, AASA, along with 19 other national educational 
organizations, requested that the Commission take a measured approach 
in deciding whether to expand the eligibility of advanced firewalls and 
services, as well as other cybersecurity services. These stakeholders 
urge the Commission to work collaboratively with other federal agencies 
to ``determine the products and services that are available and 
effective in responding to and preventing cyberattacks . . . schools 
should not be driving the response to cyberattacks, nor should E-Rate, 
the only federal funding stream supporting connectivity in schools, be 
repurposed/redirected for this important effort.''
    5. On October 20, 2022, the U.S. Government Accountability Office 
(GAO) published a report finding that additional federal coordination 
is needed to enhance K-12 school cybersecurity. The GAO recommended 
that the Secretary of Education: (1) establish a collaborative 
mechanism, such as a government coordinating council, to coordinate 
cybersecurity efforts between federal agencies and with the K-12 school 
community; (2) develop metrics for obtaining feedback to measure the 
effectiveness of the Department of Education's cybersecurity-related 
products and services for school districts; and (3) coordinate with the 
Cybersecurity and Infrastructure Security Agency (CISA) to determine 
how best to help school districts overcome the identified challenges 
and consider the identified opportunities for addressing cyber threats 
as appropriate. The GAO further recommended that the Secretary of the 
Department of Homeland Security should ensure that the Director of CISA 
develops metrics for measuring the effectiveness of its K-12 
cybersecurity-related products and services that are available for 
school districts and determine the extent that CISA meets the needs of 
state and local-level school districts to combat cybersecurity threats.
    6. Most recently, on November 15, 2022, the Commission received a 
proposal for a three-year pilot program to fund advanced firewalls and 
services as a Category Two service. FFL proposes that the Commission 
establish a three-year pilot program to fund advanced firewalls and 
services as a Category Two service. FFL also proposes that a funding 
cap of at least $60 million to $120 million be used as the funding cap 
for each of the three years. FFL further proposes that in the event 
demand exceeds available funds, that the pilot funding be prioritized 
to the applicants with the highest discount rates, and that the 
Commission deny funding for the remaining applicants with lower 
discount rates when the capped pilot funds are exhausted.
    7. The Bureau seeks comment on these and other issues raised by the 
referenced petitions and filings. To focus our consideration of these

[[Page 1037]]

requests, the Bureau offers several more specific areas of inquiry in 
the following.
    8. Definition of Advanced or Next-Generation Firewalls and 
Services. In the E-Rate program, firewall is currently defined as ``a 
hardware and software combination that sits at the boundary between an 
organization's network and the outside world, and protects the network 
against unauthorized access or intrusions.'' The Bureau seeks comment 
on this definition and, as discussed in the following, whether any 
modifications may be appropriate.
    9. Eligible Equipment and Services and their Costs. The Bureau 
further seeks comment on the specific equipment and services that E-
Rate should support to fund as advanced or next-generation firewalls 
and services, as well as the costs associated with funding these 
services. For example, Fortinet requests E-Rate support for advanced or 
next-generation firewalls and services that include the following 
capabilities: intrusion prevention/intrusion detection (IPS/IDS); 
virtual private networks; distributed denial-of-service (DDoS) 
protection; and network access control (NAC). FFL suggests advanced 
firewall features should include ``intrusion detection/prevention, 
malware detection/filtering, application control/visibility, antispam 
services, URL/DNS filtering, and endpoint-related protections.'' What 
are the advanced or next-generation firewalls and services needed to 
protect schools' and libraries' broadband networks from cyberattacks? 
What advanced firewall services should be considered to be eligible 
``advanced or next-generation services'' for E-Rate support? How should 
funding for these advanced services be prioritized, given that there is 
not sufficient E-Rate support to fund every advanced or next-generation 
firewall service? For example, should end-point related protections be 
excluded from E-Rate eligible ``advanced or next-generation firewalls 
and services? Why or why not? The Bureau also seeks comment on whether 
firewall as a service (FWaaS) should be eligible for E-Rate support. 
The Bureau encourages schools, libraries, and other stakeholders that 
have recent experience with advanced firewall services and the related-
costs to provide specific information about the services they are 
purchasing, the costs they are paying, and what they have done to 
ensure these services and equipment are sufficient to protect their 
broadband networks and that the costs are reasonable.
    10. Considering the E-Rate program's limited funds and the evolving 
connectivity needs of schools and libraries, should the Commission 
expand E-Rate support to fund advanced or next-generation firewalls and 
services, or continue to fund only basic firewalls and services as is 
currently allowed in the E-Rate program? Why or why not? Do commenters 
believe that expanding support to include advanced or next-generation 
firewalls and services is a prudent use of limited E-Rate funds? Would 
doing so affect the E-Rate program's longstanding goal of basic 
connectivity? Instead of expanding the eligibility of firewalls and 
services at this time, should the Commission continue working with its 
federal partners, including CISA and the Department of Education to 
develop a holistic approach to address and prevent cyberattacks against 
the K-12 schools and libraries? For example, are any non-E-Rate funded 
services and equipment needed to fully address and prevent these 
cyberattacks, such as training and implementing a cybersecurity 
framework and program at each school and library? Will providing 
funding only for advanced or next-generation firewalls and services be 
sufficient to protect K-12 schools' and libraries networks from 
cyberattacks? Is the amount of E-Rate funding allowed under its funding 
cap sufficient to cover all of the eligible schools' and libraries' 
connectivity needs, as well as their advanced firewall and other 
network security services? The Bureau seeks comment on these questions.
    11. Categorization of Firewall Services and Components. Currently, 
pursuant to the Commission's rules, basic firewall service provided as 
part of the vendor's internet access service is eligible as a Category 
One service. Separately priced basic firewall services and components 
are eligible as a Category Two service. The Bureau seeks comment on 
whether advanced or next-generation firewall services and components 
should be eligible as a Category One and/or Category Two service. For 
example, if FWaaS is determined eligible for E-Rate support, should 
FWaaS be eligible for Category One and/or Category Two support? Should 
advanced or next-generation firewalls and services only be eligible for 
Category Two support and subject to the applicant's five-year Category 
Two budget? Why or why not? If advanced firewall or next generation 
services should be eligible as both a Category One and Category Two 
service, how should the Commission delineate these services as a 
Category One and as a Category Two service? The Bureau seeks comment on 
these questions.
    12. Cost-Effective Purchases. If the Commission makes advanced or 
next-generation firewall services eligible as only Category Two 
service, would this be an effective way to ensure applicants are making 
cost-effective choices when requesting these services and equipment? 
Are there other measures the Commission could adopt to ensure cost-
effective purchases of advanced or next-generation firewalls and 
services are being made? Should funding be limited to only cloud-based 
advanced or next-generation firewalls and services to ensure funding is 
not spent on firewall equipment that will need to be replaced every 
three to five years? What are other steps the Commission could take to 
ensure that limited E-Rate funds are cost-effectively used for advanced 
or next-generation firewalls and services? How can these limited funds 
be allocated to ensure applicants are making cost-effective purchases? 
What steps should the Commission take to ensure the constrained E-Rate 
funds are available for its primary purposes of bringing connectivity 
to and within the schools and libraries in light of the significant 
annual costs associated with advanced or next-generation firewalls and 
services?
    13. Legal Issues. Sections 254(c)(1), (c)(3), (h)(1)(B), and (h)(2) 
of the Communications Act collectively grant the Commission broad and 
flexible authority to set the list of services that will be supported 
for eligible schools and libraries, as well as to design the specific 
mechanisms of support. CoSN and Fortinet agree, and urge the Commission 
to use its statutory authority to extend E-Rate eligibility to advanced 
or next-generation firewalls and services. The Bureau invites other 
stakeholders to comment on the Commission's legal authority to add 
advanced or next-generation firewalls and services as an eligible 
service for the E-Rate program. Do other stakeholders agree that the 
addition of these services is within the scope of the Commission's 
legal authority? Are there other legal issues or concerns the 
Commission should consider before extending E-Rate support to advanced 
or next-generation firewalls and services? Are there statutory 
limitations that the Commission should consider? What are these 
limitations? The Bureau seeks comment on these questions.

Federal Communications Commission.
Cheryl Callahan,
Assistant Chief, Telecommunications Access Policy Division, Wireline 
Competition Bureau.
[FR Doc. 2022-28657 Filed 1-5-23; 8:45 am]
BILLING CODE 6712-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>