iboss E-Rate Eligibility Matrix

Under the current USAC Eligible Services List, certain components of the iboss SASE platform qualify for E-Rate Category 2 funding as basic maintenance of internal connections (BMIC) or managed internal broadband services (MIBS). Understanding which specific iboss capabilities fall within E-Rate eligibility is essential for accurate Form 471 filing and cost allocation.

The iboss Secure Web Gateway (SWG) and content filtering module is the most clearly E-Rate-eligible component of the iboss platform. Content filtering is a foundational E-Rate Category 2 service that also supports CIPA compliance requirements. When deployed as a cloud-delivered service, iboss SWG qualifies under the managed internal broadband services designation, which USAC defines as services provided by a third party to operate, manage, and monitor a school's or library's internal broadband network.

Firewall as a Service (FWaaS) delivered through the iboss cloud is also eligible under Category 2. Traditional firewalls have long been an eligible internal connections component, and USAC has confirmed that cloud-delivered firewall capabilities receive the same eligibility treatment. Districts should describe iboss FWaaS using standard E-Rate terminology in their Form 471 narrative — specifically referencing firewall services as a component of basic maintenance of internal connections to ensure alignment with USAC's review criteria.

• Secure Web Gateway (SWG) / Content Filtering — Eligible under BMIC and MIBS
• Firewall as a Service (FWaaS) — Eligible under Category 2 internal connections
• DNS-layer security (basic filtering component) — Eligible as part of content filtering
• SSL/TLS decryption for content inspection — Eligible as a component of SWG/firewall services

The FCC Cybersecurity Pilot Program expands funding eligibility to cover the full iboss SASE stack, including advanced security capabilities that are not eligible under traditional E-Rate. This broader eligibility makes the pilot program a critical funding vehicle for districts seeking comprehensive cloud-delivered security.

Zero Trust Network Access (ZTNA) provides identity-verified, context-aware access controls that enforce the principle of least privilege across all district applications and resources. ZTNA is eligible under the pilot's identity and access management category. Cloud Access Security Broker (CASB) capabilities provide visibility into sanctioned and unsanctioned SaaS application usage, enforce data sharing policies, and detect anomalous user behavior across cloud platforms — this maps to the pilot's cloud security and monitoring categories.

Data Loss Prevention (DLP) scans outbound traffic for sensitive data patterns including student PII, Social Security numbers, and financial records, preventing unauthorized exfiltration. DLP is eligible under the pilot's data protection category. Remote Browser Isolation (RBI) executes web sessions in a secure cloud container, rendering only safe visual output to the endpoint — this capability qualifies under the pilot's advanced threat protection category. Together, these iboss components deliver the defense-in-depth architecture that the FCC envisioned when establishing the pilot program.

• Zero Trust Network Access (ZTNA) — Eligible under identity and access management
• Cloud Access Security Broker (CASB) — Eligible under cloud security and monitoring
• Data Loss Prevention (DLP) — Eligible under data protection services
• Remote Browser Isolation (RBI) — Eligible under advanced threat protection
• Security analytics and reporting dashboards — Eligible under monitoring and logging
• Managed detection and response services — Eligible under managed security services

Accurate service type coding on FCC Form 471 is essential for smooth application processing. USAC uses a standardized coding system to classify requested services, and incorrect codes are one of the most common causes of PIA inquiries and funding delays. The following guidance identifies the correct codes for iboss services under both E-Rate Category 2 and the Cybersecurity Pilot Program.

For E-Rate Category 2 applications, iboss SWG and content filtering services should be filed under the BMIC function code with the appropriate product type for managed services. Firewall as a Service should use the internal connections function code designated for firewall equipment and services. When filing, ensure that the narrative description on each Funding Request Number (FRN) precisely describes the iboss service component being requested and explicitly references its Category 2 eligibility.

For Cybersecurity Pilot Program applications, the FCC is expected to establish a new set of service codes specific to the pilot's expanded eligibility categories. Districts should monitor USAC announcements for the publication of pilot-specific codes. In the interim, Calbrate maintains a current mapping of iboss service components to the most applicable existing and anticipated service codes, which is available to all Calbrate partner districts upon request. Your Calbrate account team will provide updated code guidance as the FCC finalizes pilot program procedures.

Cost allocation is necessary whenever a single iboss subscription or contract includes both E-Rate-eligible and non-eligible service components. Because the iboss SASE platform delivers multiple security functions through a unified license, districts must allocate costs between eligible and ineligible portions before filing Form 471. USAC requires that cost allocations be based on a reasonable methodology and supported by documentation.

The most defensible cost allocation methodology for iboss deployments is a component-based approach that assigns a specific value to each functional module within the platform. Calbrate works with iboss to provide component-level pricing breakdowns that identify the cost attributable to each service capability — SWG, FWaaS, ZTNA, CASB, DLP, and RBI. This approach allows districts to claim E-Rate funding only for the eligible components (SWG and FWaaS) while separately claiming the remaining components under the Cybersecurity Pilot Program or funding them through local budget.

Alternative allocation methodologies include usage-based allocation, where costs are distributed based on the proportion of network traffic processed by each function, and proportional allocation, where costs are divided equally among the number of functional modules. Whichever methodology is chosen, it must be applied consistently and documented in the Form 471 narrative. USAC reviewers are more likely to accept allocations that are simple, well-documented, and based on verifiable data rather than estimates or assumptions.

USAC requires comprehensive documentation to support E-Rate applications, and maintaining organized records is equally important for cybersecurity pilot applications. Districts should establish a documentation file for each funding year that includes all materials from the competitive bidding process through final reimbursement.

Required documentation includes the signed vendor contract specifying all services, pricing, term dates, and service level agreements. The contract must align with what was described on Form 470 and requested on Form 471. For iboss deployments, the contract should itemize each service component separately with individual pricing, even if the services are delivered through a single platform license. This itemization supports the cost allocation and makes USAC review more straightforward.

Additional documentation requirements include the bid evaluation matrix showing how all vendor responses were scored, all vendor correspondence during the competitive bidding period, board minutes or approval documentation authorizing the contract, the cost allocation methodology worksheet with supporting calculations, and proof of service delivery such as iboss deployment confirmation reports or usage analytics. Districts must retain all E-Rate documentation for a minimum of ten years from the last date of service or the last date of the funding commitment, whichever is later. Calbrate provides documentation templates and retention checklists to help partner districts maintain audit-ready records throughout the retention period.

• Signed vendor contract with itemized service components and pricing
• Bid evaluation matrix documenting competitive selection process
• All vendor communications during the Form 470 posting period
• Cost allocation methodology worksheet with supporting calculations
• Board approval minutes authorizing the procurement
• Proof of service delivery and deployment confirmation
• Form 486 CIPA compliance certification documentation

Years of E-Rate application experience have revealed recurring mistakes that lead to funding denials, delayed commitments, and audit findings. Districts applying for iboss SASE funding should be aware of these pitfalls and take proactive steps to avoid them.

Incorrect service categorization is the most frequent error. Filing iboss cloud security services under Category 1 (internet access) instead of Category 2 (internal connections) will result in denial, as USAC considers security filtering and firewall services to be internal connections functions rather than data transmission services. Similarly, attempting to claim advanced SASE capabilities such as ZTNA or DLP under E-Rate Category 2 — when these services are not on the current Eligible Services List — will result in denial and may trigger additional scrutiny of the district's other funding requests.

Competitive bidding violations remain a leading cause of funding denials and audit recoveries. Common violations include failing to maintain the 28-day Form 470 posting period, using product-specific language on Form 470 that effectively limits competition, failing to evaluate all received bids, and not documenting the evaluation process. Bundled pricing is another frequent issue: if a vendor provides a single price for eligible and ineligible services without an itemized breakdown, USAC may deny the entire FRN. Districts should insist on itemized pricing from all vendors, including iboss, to ensure clean cost allocation and audit defensibility.

• Do not file cloud security services under Category 1 — they belong in Category 2
• Do not claim ineligible SASE components (ZTNA, CASB, DLP) under E-Rate
• Do not use vendor or product names on Form 470 during the bidding period
• Do not accept bundled pricing without itemized component breakdowns
• Do not discard bidding documentation — retain all records for ten years
• Do not miss the 120-day Form 486 filing window after receiving your FCDL