5 key considerations for BEAD funding compliance

The Broadband Equity, Access, and Deployment (BEAD) Program—part of the Infrastructure Investment and Jobs Act (IIJA)—is designed to expand access to broadband infrastructure within rural and underserved communities. Underpinning this initiative is the requirement that subgrantees develop and implement a risk management plan that adheres to the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. To meet this requirement, a subgrantee must have a cybersecurity risk management plan as well as a separate cyber supply chain risk management plan that is operational or ready to be operationalized prior to the allocation of funds.

BEAD cybersecurity requirements for grant subrecipients

The federal government is currently distributing broadband infrastructure grants to internet service providers through the American Rescue Plan Act. However, the BEAD Program significantly expands the requirements for grant subrecipients in a variety of areas, including environmental policy and climate resiliency, Build America Buy America and cybersecurity program considerations. These provisions will require organizations planning to utilize BEAD funding to document and implement cybersecurity programs in alignment with multiple industry-recognized frameworks from NIST.

Breaking down a plan for compliance

Consideration 1: Documenting two cybersecurity plans

To receive grant funds, eligible entities need to ensure that subgrantees—defined as entities that receive grants from an eligible entity to carry out eligible activities—meet the following cybersecurity requirements outlined in the Notice of Funding Opportunity:  

Cybersecurity risk management plan

This document transcends mere paperwork; it serves as a strategic road map, intricately designed to align seamlessly with the NIST Cybersecurity Framework (CSF). The cybersecurity risk management plan must adhere rigorously to the standards articulated in Executive Order 14028 and clearly capture each of the following:

• A threat landscape analysis specific to the region
• Risk assessment methodologies adopted
• A detailed mitigation plan, addressing both current and emerging threats
• Response and recovery strategies, detailing steps following a potential breach

Cybersecurity supply chain risk management (C-SCRM) plan

The subgrantee is required to have a C-SCRM plan based on key practices discussed in NISTIR 8276 and guidance provided by NIST SP 800-161, and must clearly state each of the following:

• A detailed assessment of external product and service providers
• Proactive measures to vet, monitor and manage suppliers
• Protocols for immediate action if a threat emerges from a vendor

Subgrantees are mandated to submit both of these plans to the eligible entity before fund allocation, and should provide updates when making modifications.

Consideration 2: Aligning programs to leading standards

While documentation is a key requirement, implementation of the two plans according to the standards set by the governing publications is also important. The following table demonstrates which publication(s) govern each plan.

NIST CSF: The risk management strategy and supply chain risk management strategy categories of the NIST CSF help ensure that the organization’s priorities, constraints, risk tolerances and assumptions are established and used to support risk decisions associated with managing supply chain risk. The framework also requires the organization to establish and implement a process to identify, assess and manage supply chain risks.

NISTIR 8276: This publication identifies key practices in C-SCRM, which include establishing a C-SCRM program and integrating it across the organization, identifying and managing critical suppliers, understanding the supply chain and industry relevant to the organization, collaborating with key suppliers, assessing and monitoring suppliers, and including external stakeholders in resilience planning and improvements.

NIST SP 800-161: This publication provides guidance on identifying, assessing and mitigating cybersecurity risks throughout the supply chain at all levels of an organization. It outlines several foundational, sustaining and enabling C-SCRM practices that subrecipients must adopt and tailor to their unique contexts. The publication emphasizes the importance of prioritizing reaching a base level of maturity in key practices before focusing on advanced C-SCRM capabilities.

Executive Order 14028: This executive order requires service providers to share cyber incident and threat information that could affect government networks. Additionally, agencies are required to deploy an endpoint detection and response initiative to support proactive detection of cybersecurity incidents within federal government infrastructure; active cyber hunting; containment and remediation; and incident response.

Consideration 3: Creating a path to compliance

Building a plan to address BEAD Program requirements is important and should include the following steps:

Consideration 4: Monitoring progress

After achieving critical cybersecurity milestones, an organization must perform consistent monitoring to gauge overall impact and ensure continuous improvement. Monitoring includes:

• Continuous tracking: Organizations must set benchmarks and key performance indicators for their cybersecurity initiatives, tracking their effectiveness over time.
• Creating a feedback loop: Establish a mechanism to gather feedback, learn from challenges faced and iteratively improve the cybersecurity posture.

Consideration 5: Understanding cyber requirements

NIST CSF, Executive Order 14028, NISTIR 8276 and NIST SP 800-161 all provide a comprehensive list of controls; however, understanding the primary areas of focus across these frameworks is also important.

The takeaway

To qualify for BEAD funding, subrecipients of critical infrastructure grants must establish and maintain a robust cybersecurity program, not only for themselves but also to ensure that their third-party entities comply with these requirements. Because the distribution of funds will commence in 2025, and given the substantial nature of this endeavor, initiating the process now by evaluating existing frameworks, identifying gaps and formulating a strategic road map to address any deficiencies is crucial.

Collaborating closely with the respective states where funding requests will be made is paramount. It is critical to understand what templates need to be completed to ensure alignment to state as well as federal requirements.

RSM US LLP has extensive experience in grant monitoring and compliance, offering a vast network of trusted advisors. Many of our professionals have firsthand experience as public servants, with a background in building effective, collaborative relationships with municipalities, counties, states, and diverse authorities to design and implement solutions aimed at streamlining operations, enhancing performance, and maximizing efficiency. Our comprehensive involvement in some of the most critical infrastructure programs, such as the Coronavirus State and Local Fiscal Recovery Funds program, the Capital Projects Fund, and BEAD, continues to empower us to work with state agencies to fashion innovative, top-tier solutions for broadband infrastructure program development.