The Broadband Equity, Access and Deployment Act (BEAD), a broadband grants program directed towards states and territories, imposes cybersecurity requirements upon subgrantees. There are four key baseline requirements that states (also known as Eligible Entities) must require applicants (or subgrantees) to abide by:
- The prospective subgrantee has a cybersecurity risk management plan (the plan) in place that is either:
- operational, if the prospective subgrantee is providing service prior to the award of the grant; or
- ready to be operationalized upon providing service, if the prospective subgrantee is not yet providing service prior to the grant award;
- The plan reflects the latest version of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (currently Version 1.1) and the standards and controls set forth in Executive Order 14028 and specifies the security and privacy controls being implemented;
- The plan will be reevaluated and updated on a periodic basis and as events warrant; and
- The plan will be submitted to the Eligible Entity prior to the allocation of funds. If the subgrantee makes any substantive changes to the plan, a new version will be submitted to the Eligible Entity within 30 days. The Eligible Entity must provide a subgrantee’s plan to NTIA upon NTIA’s request.
NTIA Notice of Funding Opportunity, Section IV (C)(2)(d)(vi), PDF page 70
There are also four requirements in regard to supply chain risk management. Eligible Entities need to require a prospective subgrantee to attest that:
- The prospective subgrantee has a SCRM plan in place that is either:
- operational, if the prospective subgrantee is already providing service at the time of the grant; or
- ready to be operationalized, if the prospective subgrantee is not yet providing service at the time of grant award;
- The plan is based upon the key practices discussed in the NIST publication NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry and related SCRM guidance from NIST, including NIST 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations and specifies the supply chain risk management controls being implemented;
- The plan will be reevaluated and updated on a periodic basis and as events warrant; and
- The plan will be submitted to the Eligible Entity prior to the allocation of funds. If the subgrantee makes any substantive changes to the plan, a new version will be submitted to the Eligible Entity within 30 days. The Eligible Entity must provide a subgrantee’s plan to NTIA upon NTIA’s request.
NTIA Notice of Funding Opportunity, Section IV (C)(2)(d)(vi), PDF page 71