On June 27, the U.S. Supreme Court ruled that the Federal Communication Commission’s Universal Service Fund (USF)1 was constitutional. Within hours, leaders on the House Energy and Commerce Committee announced plans to reauthorize the USF. For those of us attuned to the challenges facing K-12 schools2 when it comes to cybersecurity, these two events raised an immediate question: what’s to become of the FCC’s cybersecurity pilot?
Last year, the FCC finalized a pilot program intended to help E-Rate-eligible schools3 improve their cybersecurity by giving them access to a broader array of subsidized tools and services. The cyber pilot program was wildly oversubscribed: schools and libraries submitted over $3.7 billion in requests for assistance, more than fifteen times the program budget of $200 million. Since launching in January 2025, funding has been approved for more than 700 schools and libraries to help them mitigate threats from cyber criminals. As part of IST’s ongoing work to bolster K-12 cybersecurity, we decided to investigate the pilot’s progress so far and explore options policymakers might consider as they look to update the USF.
On July 11, we hosted “On the Front Lines: Utilizing the Universal Service Fund to Support K-12 Cybersecurity,” a virtual event to help catalyze more conversations about the pilot and other options for updating the USF. Michael Klein, IST’s Senior Director for Preparedness and Response, moderated the event. He kicked off with an introduction to the USF and why it matters, noting: “This particular program, the FCC’s Universal Service Fund, is uniquely positioned to address challenges [facing schools], especially the scourge that’s really been hitting our school districts over the last five years intensely, which is ransomware.”
Vince Voci, Cloudflare’s Director for Global Government Relations & Partnerships, elaborated on the threat environment facing local education agencies. Schools have not historically had to go toe-to-toe with hardened criminals from transnational gangs, and many lack the resources and capacity to protect their systems and their students from these evolving threats. “Cloudflare sees about 90% of successful intrusions start with an email campaign, which can lead to the ransomware that we see against critical infrastructure and schools—[something] that continues to be a global threat,” he said.
Raghu Seshadri, the Executive Administrator Information Security & Cyber GRC in the Jefferson County (KY) Public School system, shared his experiences on the front lines trying to get a handle on cyber risk. “We have a population that doesn’t have a voice in how their information is protected, and that’s the students. So as we are educating them, we have an obligation to make sure that we are protecting everything else around them. It’s a moral obligation,” he reflected.
Amy McLaughlin, Project Director for Cybersecurity and Network and Systems Design Initiatives at the Consortium for School Networking (CoSN), shared with the audience a brief background on the E-Rate program, which was first authorized in 1996. While E-Rate has traditionally provided for some cybersecurity investments, like firewall appliances, many modern services are not supported by the program. “One of the things that I’m pretty sure E-Rate just did not anticipate at the beginning of the program was the downside of Internet connectivity, which is cyber threats,” Amy explained.
For Jefferson County Public Schools, where 70% of students are eligible for free and reduced-price lunch under the National School Lunch Program, Raghu says the E-Rate program has been invaluable. “We’ve always used E-Rate to benefit students,” he explained, pointing to efforts to increase broadband connectivity and create WiFi hotspots. Now, schools face a security cliff: “We have a surplus of devices…how do we manage them?”
Amy noted the importance of the FCC’s cybersecurity pilot as a critical first step for modernizing the E-Rate offerings. “Because we didn’t build security into the E-Rate program, we basically handed the equivalent of car keys to children without a driver’s license, without a test, without breaks, without seat belts,” she explained. “[Demand for the pilot project] really speaks to how much we need support and capability for cybersecurity in districts of all sizes.”
Raghu, who has first-hand experience as one of the recipients of the K-12 cybersecurity pilot funding, shared some of the new capabilities he’s bringing on to protect students in Kentucky. “The cybersecurity grant came as a blessing because, at the time, we were able to identify the gaps, so we used the grant to focus on three specific areas.” He explained that his district has focused on deploying internal firewalls, acquiring a SIEM4 tool to unify visibility across its systems, and implementing logical network segmentation.
Finally, the conversation turned to opportunities to continue the momentum from the FCC pilot. Panelists considered three main approaches:
- Codify the Pilot: Through updates to the USF, the FCC could make the cybersecurity program permanent, allowing schools to apply for a specific allocation of funding to address urgent cybersecurity needs.
- Expand the Scope of Allowable Products/Services under E-Rate: Alternatively (or additionally), the FCC could update the traditional E-Rate program to allow schools to use funding for the current generation of cybersecurity tools, not simply legacy network appliances.
- Consider Cross-Sector Applicability: They also discussed the potential for a broader set-aside, where a certain proportion of USF funding was reserved for cybersecurity across an array of broadband access programs, from education to healthcare.
Building off of the conversation, and through our ongoing work on K-12 cybersecurity, IST will continue to explore this unique opportunity to provide critical resources to the communities that need it most. This is the beginning of a conversation, and we need your input to keep it going. Please reach out to the team to share with us your thoughts on other approaches that could address unmet needs in education cybersecurity.
“We are glad to see the Supreme Court uphold the constitutionality of the Universal Service Fund, which is critical for expanding reliable internet access to rural and low-income Americans, schools, libraries, and rural health centers,” said Chairmen Guthrie and Hudson. “The Committee on Energy and Commerce can now turn its attention to reforming the USF so it can continue to provide every American with access to the connectivity they need to participate in the 21st century economy.”
1 The USF is a fee-based mechanism that aims to ensure all Americans have access to affordable communications.
2 K-12 is also facing significant financial challenges with the “fiscal cliff” from the end of the $200 billion in pandemic aid, the recent announcement that the Administration is withholding $6 billion in appropriated funds, and cuts to cybersecurity services from CISA and MS-ISAC. These factors increase the urgency of looking at alternative pathways to protect school systems from cyber criminals.
3 The E-Rate program leverages USF funds to provide schools and libraries with subsidized Internet access and supporting technology.
4 Security incident and event management (SIEM) tools consolidate data from other applications, devices, and users to provide a single view of an enterprise’s security posture.
