In the first installment of ITIF’s Access America series, Jess talks with Verizon’s Chris Oatway about the BEAD program’s cybersecurity requirements and whether they’re enough to keep new networks secure.

Mentioned in This Episode

▪ National Telecommunications and Information Administration (NTIA), Broadband Equity, Access, and Deployment (BEAD) Program Notice of Funding Opportunity (NOFO) (Washington, DC: U.S. Department of Commerce, May 2022).

▪ Matthew P. Barrett, “Framework for Improving Critical Infrastructure Cybersecurity Version 1.1” (Washington, DC: National Institute of Standards and Technology, April 2018).

▪ The White House, “Executive Order on Improving the Nation’s Cybersecurity” (Washington, DC: The White House, May 2021).

▪ Matthew P. Barrett, “NISTIR 8276: Key Practices in Cyber Supply Chain Risk Management (C-SCRM)” (Washington, DC: National Institute of Standards and Technology, February 2021).

▪ Jon Boyens et al., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Washington, DC: National Institute of Standards and Technology, May 2022).

Auto-Transcript

Jessica Dine:

Hi, and thank you for joining. I’m Jessica Dine, a policy analyst at the Information Technology and Innovation Foundation, which is a think tank focused on the intersection of technology and public policy. This is Access America, a podcast/webinar series where we’ll be breaking down some aspects of one of the most relevant pieces of broadband policy today, the BEAD program.

Now some brief background for those of you who don’t know. The BEAD or Broadband Equity Access and Deployment program is a $42.45 billion program led by the National Telecommunications and Information Administration or NTIA that’s meant to expand digital access to everybody in all US states and territories. Now, that covers a few different things. The main mandate of the BEAD program is to finish deployment, essentially to build out broadband infrastructure to everybody in the country so that everybody has the physical tools to be connected.

Other significant barriers to digital inclusion can include things like affordability or the ability to actually use the internet and BEAD recipients can address those issues if they have remaining funds after they complete deployment. BEAD is right now in the early stages of implementation. States and territories are submitting written plans detailing how they intend to spend the funds, and then once those plans are approved by NTIA, they can start selecting internet service providers or ISPs, the ones who will actually be doing the deployment as subgrantees.

These plans that states are submitting, their initial proposals, must address the criteria laid out by NTIA as requirements for receiving these BEAD funds. These criteria run the gamut from the types of networks that states will funds to their process for selecting subgrantees. But today we’re going to be focusing specifically on the requirements that are relevant to cybersecurity and supply chain risk management.

Now, I have with me today a great guest to sort of lay out the details of this area for us. So joining us will be Chris Oatway, who’s associate general counsel at Verizon, where he has responsibility for cybersecurity policy issues. So thank you, Chris for being here. I’m really excited for this.

Chris Oatway:

Hi, Jessica. Thanks for having me.

Jessica Dine:

Yeah, of course. And with that, let’s jump right in. I’m very excited to hear this. So I understand essentially that there are cybersecurity and there are supply chain risk management components to the BEAD program. I guess let’s break it down and start with cybersecurity. Could you sort of talk us through that as a brief intro, basically how it comes in and what those requirements look like?

Chris Oatway:

Yeah, sure. I’m happy to. So I think if you just read the news, cybersecurity is an important topic. You read about data breaches, ransomware attacks, threats to critical infrastructure, that sort of thing. And cybersecurity is essentially sort of the practices that an organization can put in place to ensure the confidentiality, integrity, availability of the service that it’s providing. And then supply chain risk management, similarly, making sure that the equipment in your network components and supply chain associated with software that you’re using as well is protected from compromise.

Jessica Dine:

That’s great. That’s really helpful. Thank you. Okay, so what type of security requirements are there within the BEAD program? How does that tie in?

Chris Oatway:

Yeah, so with the IIJA that Congress passed, Congress directed NTIA to ensure that applicants for BEAD money are following what they call prudent cybersecurity practices. And so with that, NTIA went through and when they issued their notice of funding opportunity, their NOFO, set forth specific requirements for supply chain risk management and for cybersecurity risk management in order to ensure that they’re complying with that congressional mandate.

In the cybersecurity space, there’s a requirement that an applicant attest that it has a cybersecurity risk management plan in place. And then there’s a couple of prongs that they set forth in terms of what that plan needs to cover. One is that it needs to reflect the NIST cybersecurity framework. We can talk more about that. Another is that it needs to reflect the standards and controls in something called executive order 14028, so that’s cybersecurity.

And then on the supply chain risk management side, the NTIA requirement is also that the applicant be able to attest that it has a supply chain risk management plan in place, and then it sets forth certain documents, particularly one called NISTIR 8276, that describes how it has implemented appropriate supply chain risk management practices.

Jessica Dine:

That’s great, thank you. Okay, so I guess this will make the most sense if we break it down in half. So focusing only on cybersecurity right now, you mentioned something called the NIST, and actually we love our acronyms, but moving back a little bit, when you said the IIJA, just for anybody who isn’t super familiar with the space, could you briefly explain what that is and how that ties in?

Chris Oatway:

So IIJA is the actual statute, I forget what the acronym is actually, but it’s the statute that Congress passed setting up the BEAD program that you were talking about. And then of course, NIST for folks that aren’t familiar with it is a government agency also part of commerce like NTIA that it’s the National Institutes of Standards and Technology, which does a lot of very interesting things. But most importantly for our purposes here, they have folks that work through cybersecurity and supply chain risk management standards, controls, best practices for organizations, both federal and private sector to be following.

Jessica Dine:

Got it. Okay. And so a state that’s trying to apply for these BEAD funds has to attest that it’s following this framework. What does that mean? I guess is the framework prescriptive? Is it sort of setting work best practices or standards to adhere to, or could you talk a little more about that?

Chris Oatway:

Yeah, so an applicant needs to has a heavy cybersecurity risk management plan that reflects the NIST cybersecurity framework and the cybersecurity framework or the CSF as we call it, is a very widely used tool that is used in the private sector and the public sector to assess an organization’s cybersecurity posture and to put in place appropriate standards and controls to address and mitigate cybersecurity issues. So it’s a non-prescriptive tool that ties to a lot of specific standards and controls that are available to organizations and that organizations in many contexts should be implementing. There’s a process through which you work through the CSF in order to identify your organization’s sort of risk profile, and then map that risk profile to the right standards and controls and best practices that you should have in place to address your organization’s risks.

The NIST CSF was implemented, I think back in 2014, recently updated this year. So you should be making sure that you’re tying to the most recent version of the NIST CSF. And it is very widely used in the private and public sectors for risk management purposes. If your organization isn’t currently using the CSF, I think that is probably the core recommendation for most cybersecurity practitioners to start using the NIST cybersecurity framework. It’s the tool around which most of industry has sort of coalesced for communicating and implementing appropriate cybersecurity practices.

Jessica Dine:

Interesting. Okay, great. So I think the NOFO also mentions executive order 14028, and it said something about adhering to the standards and controls set forth in the order. Could you tell us what that is and what those standards and controls are?

Chris Oatway:

So the executive order 14028 was an executive order issued by the White House in I think May of 2021, directing federal agencies to do certain things to improve their cybersecurity readiness. The EO 14028 actually doesn’t set forth specific standards or controls, which creates some ambiguity in terms of how to put in place a cybersecurity risk management plan that reflects standards and controls from executive order 14028. A lot of us in industry have worked pretty extensively through trade associations and others to kind of work through what it means to be implementing executive order 14028. And I think where most of us are landing, obviously this isn’t legal advice, I would advise folks to talk to their lawyers if they want a legal advice, but where I think most of us are ending up is EO 14028 does describe certain things that federal agencies need to be doing as part of their security plan.

It describes that they need to have specific software security, cloud security practices in place, and that they’re implementing something called Zero Trust. Zero Trust is the principle that instead of just looking to protect the perimeter around an organization or an enterprise, also makes sure that you have strong access controls, verification procedures in place for everything that takes place within the organization as well. So I think that if you have a cybersecurity risk management plan that reflects the CSF and that walks through how it addresses those big types of issues that are in executive order 14028, that likely is the sort of risk management plan that would be consistent with what others in industry are putting in place.

Jessica Dine:

Okay, thanks. That makes a lot of sense. So like you said, it sounds like there’s some room for interpretation and some ambiguity and all the things that come around here, but industry or a lot of people have also coalesced around specific interpretations. So given that, I know you couldn’t speak to exactly what a state cybersecurity plan might look like, but what might a compliance state’s cybersecurity plan look like in theory, at a higher level?

Chris Oatway:

I think it’s a good question. I think it’ll depend on the organization. One key thing about the NIST CSF is it is non-prescriptive. So different organizations will be implementing different pieces of it in different ways, but I think that there is a requirement that you attest that you have such a plan. So there needs to be a plan in place, and that plan should be sort of walking through how you are addressing some of the principles and practices and controls and standards that are set forth in the CSF, and should also be including some information about how you’re addressing some of the things that are set forth in executive order 14028, such as cloud security, software security, zero trust, that sort of thing. And I think if you have such a plan in place, that’s the BEAD requirement.

Jessica Dine:

Okay. That’s super interesting. Thank you. I guess I’d like to move on now to the similar supply chain risk management components with the rest of our time. I know you’ve already touched on them and introduced them a little bit. Could you please explain a little more deeply what those are and what types of things those will pull in?

Chris Oatway:

So the other piece of the NOFO is the requirement that you’d be able to attest that you have a supply chain risk management plan in place. And it specifically sort of calls out one particular NIST document called NISTIR 8276, which is a NIST document that is essentially cyber supply chain risk management practices. It’s a higher level document than the CSF is on the cybersecurity side, but it sets forth a number of key practices that should be in place for any organization to be ensuring that its supply chain is appropriately secure. That’s one sort of key prong to the supply chain risk management plan requirement that you’d be able to attest to that. So the plan would have to talk about NISTIR 8276.

And then the other prong that they have set forth in the NOFO for the supply chain risk management plan requirement is it needs to also tie to other appropriate NIST documents. And they list one in particular, which is a very important NIST document called NIST 800-161, and NIST 800-161 is a NIST document that similarly sets forth a number of key supply chain risk management practices for organizations to follow. Similar to the CSF, it’s sort of non-prescriptive. So it’s not the case that you would have to necessarily tie to every single standard and control set forth in that plan. But under the NOFO requirements, you need to be able to attest that you have a plan in place that sort of addresses them. And so that is sort of the supply chain piece of the requirement.

Jessica Dine:

So going back to NISTIR 8276, you said that it was higher level. Could you just explain what you mean by that?

Chris Oatway:

It’s higher level in the sense that it has, I think it’s about nine different categories of things that it identifies should be in place in a, I think actually eight, I’m just looking at my notes here, eight specific key practices that should be in place for a cybersecurity focused supply chain risk management plan. So it’s things like establishing a formal program. What kinds of policies do you have that are formal within your organization? What kinds of policies do you have in place for managing suppliers? What kinds of policies do you have in place for thinking about the life cycle of equipment in your network? Those kinds of key practices which are derived from other NIST documents and other guidance have been set forth in that NISTIR as key practices that are recommended be in place. And so I think it was appropriate that NTIA focused on that NISTIR document as sort of the core supply chain risk management expectation or requirement for BEAD applicants.

Jessica Dine:

Yeah, no, this has made a lot of sense. Thank you for explaining this so clearly. We’re running up on time here. So Chris, to close out, I know you’re sort of steeped in a lot of this for most of the day. So for those of us who are less familiar with especially these aspects of BEAD, is there any brief takeaway or maybe a final thought that you think is important that you’d like to leave us with?

Chris Oatway:

Yeah, so I think my final thought is as a general matter, my company uses the NIST cybersecurity framework as the core framework that we use in order to assess our cybersecurity posture and to make sure that we are consciously addressing the kinds of things that we need to be addressing. So I really think that any organization, setting aside the BEAD requirements should be embracing the CSF. You can be embracing it at a relatively nascent level. If you’re relatively new to cybersecurity, there’s a lot of documents online for sort of how to get up to speed with it. Or you can be embracing it at a very mature level. I think it’s a journey that the company has to go through. And NIST, I think, has done an excellent job with the CSF in sort of setting forth how to go about improving your company’s supply chain posture.

And that’s what the BEAD requires that you be communicating, that you’re into that journey. And then sort of same thing with the supply chain piece of it, making sure that you pull out a copy of the NISTIR, 8276, understand what it’s talking about. One thing that NIST does very well is for companies that may not be sort of steeped in all of this, it has a lot of guidance on how to embrace these documents and how to work through them. So it may sound a little bit intimidating sort of upfront, but NIST sort of appreciates that it needs to meet companies wherever they are. And both of those documents are aimed at ensuring that you can put in place something meaningful. And of course, it’s also a regulatory requirement if you want to be honing after BEAD money.

Jessica Dine:

That’s great. Chris, thank you. And thank you also to our audience. If you liked what you heard today, please feel free to check back on ITIF’s Access America page, where we’re going to be regularly putting out episodes, honing in on other specific elements of BEAD. Thanks and have a nice day.

Chris Oatway:

Thanks, Jess.

Jessica Dine:

Thanks.