FCC Cybersecurity Pilot Program Guide

In response to the escalating wave of cyberattacks targeting K-12 school districts and public libraries, the Federal Communications Commission (FCC) announced the Schools and Libraries Cybersecurity Pilot Program in 2023. This landmark initiative allocates $200 million over a three-year period to help eligible institutions acquire advanced cybersecurity services and equipment that are not currently covered under the traditional E-Rate program.

The Cybersecurity Pilot Program represents the FCC's recognition that basic content filtering and firewall protection — the extent of cybersecurity coverage under existing E-Rate rules — are no longer sufficient to defend educational institutions against modern cyber threats. Ransomware attacks on school districts increased by over 300% between 2019 and 2023, with the average cost of recovery exceeding $750,000 per incident. Many districts lack the budget to deploy enterprise-grade cybersecurity tools, leaving them vulnerable to attacks that disrupt learning, compromise sensitive student data, and drain already-constrained operational budgets.

The pilot program is designed to test whether E-Rate-style universal service funding can effectively improve the cybersecurity posture of schools and libraries nationwide. Data collected during the three-year pilot will inform the FCC's decision on whether to establish a permanent cybersecurity funding mechanism within the Universal Service Fund. This makes early participation strategically important — districts that demonstrate successful cybersecurity deployments under the pilot will provide the evidence base for potential long-term program expansion.

Eligibility for the FCC Cybersecurity Pilot Program mirrors the E-Rate program's existing applicant base. Eligible entities include public and private K-12 schools, school districts, public libraries, library systems, and consortia of eligible entities. Applicants must have a current E-Rate eligibility status and an active entity number in the USAC E-Rate Productivity Center (EPC) portal.

Consortia applications are permitted and may be advantageous for smaller districts that lack the administrative capacity to manage a standalone pilot application. A consortium application allows multiple eligible entities to apply under a single lead applicant, potentially reducing administrative burden and enabling economies of scale in vendor contracting. However, each participating entity within the consortium must individually meet eligibility requirements and must be separately identified in the application.

Districts that have not previously participated in E-Rate can establish eligibility by completing the required steps in EPC, including obtaining an FCC Registration Number (FRN) and ensuring their entity data is current. Districts that are already active E-Rate participants should verify that their EPC profiles are up to date before applying to the cybersecurity pilot, as USAC will use existing entity data to verify eligibility and calculate discount levels.

The Cybersecurity Pilot Program covers a significantly broader range of cybersecurity services than the traditional E-Rate program. While E-Rate Category 2 is limited to basic firewall and content filtering capabilities, the pilot program encompasses advanced cybersecurity technologies that reflect the modern threat landscape facing educational institutions.

Eligible service categories under the pilot include advanced next-generation firewalls, endpoint detection and response (EDR) solutions, identity and access management (IAM) platforms, security information and event management (SIEM) systems, domain name system (DNS) security, email security and anti-phishing tools, and network monitoring and intrusion detection capabilities. The pilot also covers cybersecurity training and awareness programs for staff, as well as vulnerability assessment and penetration testing services.

Cloud-delivered security platforms that bundle multiple cybersecurity functions into a unified service offering are explicitly eligible, provided that the individual component services fall within the approved categories. This is particularly relevant for Secure Access Service Edge (SASE) platforms like iboss, which consolidate multiple security functions into a single cloud-native architecture. The pilot program's inclusive approach to cloud-delivered security represents a significant advancement over E-Rate's historically hardware-centric eligibility framework.

• Advanced next-generation firewalls and firewall as a service (FWaaS)
• Endpoint detection and response (EDR) and endpoint protection platforms
• Identity and access management, including zero-trust network access (ZTNA)
• Security information and event management (SIEM) and log analysis
• DNS-layer security and threat intelligence feeds
• Email security, anti-phishing, and anti-malware solutions
• Network monitoring, intrusion detection, and intrusion prevention systems
• Cybersecurity training and awareness programs for staff and administrators

The iboss SASE platform is purpose-built for the types of distributed, cloud-first environments that characterize modern K-12 school districts. Its cloud-native architecture delivers security services from a global network of points of presence, providing consistent protection regardless of whether students and staff connect from school buildings, home networks, or mobile devices. This architecture maps directly to the Cybersecurity Pilot Program's eligible service categories.

iboss Secure Web Gateway (SWG) provides URL filtering, malware scanning, and SSL/TLS inspection capabilities that satisfy the pilot's advanced firewall and web security category. Zero Trust Network Access (ZTNA) delivers identity-based access controls that map to the identity and access management category. Cloud Access Security Broker (CASB) functionality provides visibility and control over SaaS application usage, addressing shadow IT risks that are pervasive in educational environments. Data Loss Prevention (DLP) capabilities protect sensitive student records and personally identifiable information (PII) from exfiltration.

Remote Browser Isolation (RBI) provides an additional layer of protection by rendering web content in a secure cloud container, preventing malicious code from reaching endpoint devices. This capability is particularly valuable for school districts where endpoint management is challenging due to mixed device environments including district-owned Chromebooks, Windows laptops, and student-owned personal devices. The comprehensive nature of the iboss SASE platform means that a single deployment can address multiple eligible service categories under the pilot, simplifying both the application process and ongoing management.

The FCC Cybersecurity Pilot Program application process is expected to follow a structured timeline that shares some procedural elements with E-Rate but includes pilot-specific requirements. Based on the FCC's Order and program guidelines, the application process involves several distinct phases that districts should prepare for well in advance of the filing window.

The first phase requires applicants to submit a cybersecurity needs assessment demonstrating the current state of their security infrastructure and identifying gaps that the pilot funding would address. This assessment should include an inventory of existing security tools, documentation of recent security incidents or vulnerabilities, and a description of the specific threats the district faces. Districts that have conducted formal risk assessments under frameworks such as NIST Cybersecurity Framework (CSF) or the K-12 Cybersecurity Resource Center's guidelines will have a significant advantage in this phase.

The second phase involves submitting a detailed project plan that identifies the specific services and equipment to be deployed, the vendor or vendors selected, the total project cost, and the anticipated timeline for deployment. Applications must demonstrate that the proposed solution addresses identified needs and represents a cost-effective approach to improving the district's cybersecurity posture. Districts should prepare comprehensive documentation packages well before the filing window opens, as the competitive nature of the limited pilot funding means that complete, well-organized applications are more likely to receive favorable review.

Effective budget planning for a Cybersecurity Pilot Program application requires districts to accurately scope their iboss SASE deployment based on the number of users, devices, and locations to be protected. iboss licensing is typically based on user count, which simplifies cost estimation for school districts that have well-documented enrollment and staff figures.

When developing the pilot budget, districts should account for the full cost of the iboss platform over the pilot period, including initial deployment and configuration services, annual subscription licensing, and any required professional services for integration with existing infrastructure. The budget should also include costs for staff training and ongoing managed service support if the district intends to use Calbrate's managed security operations center (SOC) services alongside the iboss platform.

Districts should prepare tiered budget scenarios that account for different levels of pilot funding. A phased deployment approach may be strategically advantageous — for example, deploying core SWG and ZTNA capabilities in phase one and adding CASB, DLP, and RBI in phase two. This approach demonstrates fiscal responsibility while ensuring that the highest-priority security gaps are addressed first. Your Calbrate account team can provide detailed budgetary estimates tailored to your district's specific user count, device profile, and security requirements.

One of the most powerful aspects of the Cybersecurity Pilot Program is its ability to layer with existing E-Rate Category 2 funding. Services that are eligible under traditional E-Rate — such as basic content filtering and firewall — can continue to be funded through E-Rate, while the cybersecurity pilot covers advanced capabilities that fall outside E-Rate's current eligible services list.

For districts deploying iboss SASE, this layered funding approach can significantly reduce out-of-pocket costs. For example, a district might use E-Rate Category 2 funding to cover the cost of iboss SWG and content filtering components while using cybersecurity pilot funding to cover ZTNA, CASB, DLP, and RBI capabilities. The key requirement is that there is no duplication of funding — the same service component cannot be funded by both programs simultaneously.

Proper cost allocation between E-Rate and cybersecurity pilot funding requires careful documentation. Districts should work with their Calbrate account team to develop a clear cost allocation matrix that maps each iboss license component to the appropriate funding source. This matrix should be included in both the E-Rate Form 471 filing and the cybersecurity pilot application to demonstrate compliance with anti-duplication rules and to facilitate USAC's review process.

Successful pilot program applications will demonstrate a clear connection between identified cybersecurity needs, the proposed solution, and the expected outcomes. Districts should begin application preparation months before the filing window by assembling a cross-functional team that includes IT leadership, the E-Rate coordinator, the Chief Financial Officer, and district administration.

The needs assessment component should be grounded in a formal cybersecurity risk assessment. If your district has not recently completed a risk assessment, Calbrate can facilitate a complimentary security posture review that identifies vulnerabilities, quantifies risk exposure, and maps findings to the pilot program's eligible service categories. This assessment provides the evidentiary foundation for the application and demonstrates the district's commitment to a systematic approach to cybersecurity improvement.

Vendor selection documentation should clearly demonstrate that the chosen solution represents the best value for the district's identified needs. While the pilot program's competitive bidding requirements are still being finalized, districts should follow E-Rate competitive bidding best practices as a baseline. This means issuing a request for proposals, evaluating responses against published criteria with price as the primary factor, and maintaining documentation of the entire selection process. Districts should also prepare a sustainability plan describing how they intend to maintain cybersecurity capabilities after the pilot funding period ends, as this is likely to be a factor in USAC's evaluation of applications.

• Conduct a formal cybersecurity risk assessment to support the needs narrative
• Inventory all existing cybersecurity tools and identify specific capability gaps
• Develop a detailed deployment plan with milestones and success metrics
• Prepare a cost allocation matrix separating E-Rate eligible from pilot-eligible services
• Draft a sustainability plan for maintaining security investments post-pilot
• Assemble application documentation well before the filing window opens