In July 2024, the Federal Communications Commission (FCC) launched a three-year Cybersecurity Pilot Program (CPP), allocating $200 million in federal funding to support selected K-12 school districts and public libraries across the United States. The pilot program will operate from 2025-2028.
This initiative is designed to assess the effectiveness of incorporating cybersecurity solutions into the existing E-rate program, which has historically excluded such services.
The CPP enables approximately 700 selected applicants to implement critical cybersecurity tools and services, helping to bolster their resilience against growing cyber threats. The pilot is intended to inform the future of federally funded cybersecurity initiatives in the education and library sectors.
Funding priorities and eligibility
To assist participants in strategically allocating their budgets, the FCC issued a preliminary list of eligible services. Although not exhaustive, the guidance prioritizes the following solution categories:
- Next Generation Firewalls (NGFW)
- Endpoint Protection
- Identity Protection and Authentication
- Managed Detection and Response (MDR)
These categories reflect a broad industry consensus on essential components for establishing a robust cybersecurity foundation.
Procurement trends and observations
Analysis of about 250 released FCC Form 470 filings indicates that most applicants are prioritizing NGFW, MDR, and Identity and Access Management (IAM) solutions. These categories align with the FCC’s guidance and broader cybersecurity best practices.
Form 470 alerts potential service providers that an eligible organization is seeking bids for eligible services and solutions under the program. It serves as the formal public notice required before applicants can evaluate proposals and move forward with procurement.
While NGFW devices are fully eligible under the CPP, their subscription and support services typically remain only partially eligible under standard E-rate guidelines. The pilot program provides an opportunity to fund comprehensive solutions that were previously cost-allocated or excluded.
IAM technologies are widely endorsed by federal and industry frameworks, including the Cybersecurity and Infrastructure Security Agency (CISA) and the Center for Internet Security (CIS), as critical for protecting access to networks and systems. MDR services, when implemented effectively, offer around-the-clock threat detection, analysis, and response capabilities that can significantly reduce an organization’s risk exposure.
Strategic planning recommendations
Program participants are encouraged to take a strategic approach when allocating funds to ensure measurable improvements in cybersecurity posture. Prior to issuing procurement requests, stakeholders should:
- Conduct a comprehensive review of cybersecurity needs
- Evaluate a range of potential solutions aligned to identified gaps
- Prioritize solutions with direct impact on risk mitigation and resilience
Additional funding, while always welcome, introduces new choices and options, and it can be challenging to identify the best way to use the budget to achieve optimal security outcomes. There are many options on the table, and organizations may not be aware of all possible solutions or investment opportunities.
We encourage institutions to explore available solutions in advance and identify areas where funding will have the greatest impact before releasing bid requests.
Engaging solution providers early in the process can provide valuable guidance on eligible services and deployment strategies that maximize return on investment within program guidelines.
Key measures for cybersecurity readiness
In addition to leveraging CPP funding, institutions should consider the following cybersecurity best practices as part of a comprehensive risk management strategy:
- Implement multi-factor authentication (MFA)
- Conduct ransomware tabletop exercises to assess response capabilities
- Test and validate data backup and recovery systems
- Review and update incident response plans regularly
- Evaluate user awareness through phishing simulations and training reinforcement
- Ensure cybersecurity insurance policies reflect current threats and business conditions
Conclusion
The Cybersecurity Pilot Program represents a significant advancement in strengthening the digital infrastructure of K-12 schools and public libraries. By making strategic and informed investment decisions, participating organizations have a unique opportunity to elevate their cybersecurity posture while contributing to the broader evaluation of cybersecurity funding under the E-rate program.
The Sophos Public Sector team has extensive experience helping educational and library institutions navigate funding programs and optimize their cybersecurity investments.
Sophos Protected Classroom is specifically designed to meet the evolving security needs of K-12 and library environments — providing comprehensive protection through advanced technologies such as managed detection and response (MDR), identity protection, and next generation firewalls.
We welcome the opportunity to support your planning process and explore solutions tailored to your needs.
If you are preparing an RFP or Form 470 submission under the Cybersecurity Pilot Program, we encourage you to connect with us to discuss how we can support your objectives and help you make the most of this funding opportunity.
