What Every BEAD Subgrantee Needs to Know About the Cybersecurity Attestation Requirement

By Gillian Tedeschi, Vice President, Securance Consulting. Gillian drives Securance's go-to-market strategy for BEAD cybersecurity technical assistance, working with state broadband offices and subgrantees across the country to connect them with the compliance support they need.

If you have received a Broadband Equity, Access, and Deployment (BEAD) grant award, you are likely focused on what comes next: finalizing your network design, securing equipment, coordinating with your state broadband office, and preparing for deployment. Cybersecurity compliance may not be at the top of your list.

It should be.

Before your grant funds are disbursed, the National Telecommunications and Information Administration (NTIA) requires you to attest that your organization maintains an operational cybersecurity risk management plan and a supply chain risk management (SCRM) plan. This is not a suggestion or a best-practice recommendation; it is a condition for receiving your funding. And for most broadband subgrantees, meeting it requires more time and expertise than they initially expect.

This article explains what the requirement involves, what compliant plans must contain, and what you can do now to get ahead of it.

Why This Requirement Exists

The BEAD Program is distributing $42.5 billion in federal funding to connect unserved and underserved communities across the United States. The networks being built with that funding will carry sensitive communications for homes, businesses, schools, hospitals, and government agencies — many of them in rural and tribal communities that have never had reliable broadband access before.

The federal government has a strong interest in ensuring that the infrastructure it is funding is not vulnerable to cyberattacks, supply chain compromises, or the use of equipment from prohibited vendors. The cybersecurity and SCRM plan requirements exist to protect that infrastructure and the communities it will serve.

They also reflect a broader federal policy direction. Executive Order 14028, signed in May 2021, established sweeping cybersecurity modernization requirements across the federal government and its contractors and grantees. The BEAD Notice of Funding Opportunity (NOFO) cybersecurity requirements are an extension of that policy into the broadband infrastructure space.

What the Requirement Actually Says

The relevant requirement is found in Section IV.C.2.c.vi of the NTIA BEAD NOFO. It requires each prospective subgrantee to attest, at the time the grant-funded network is made operational, that the subgrantee has:

• An operational cybersecurity risk management plan that reflects the applicable cybersecurity framework and specifies the security and privacy controls being implemented.

• An operational SCRM plan that outlines how the organization identifies, assesses, and mitigates risks within its supply chain.

They’re not one-time documents; they’re living programs your organization must sustain.

Which Standard Applies to Your Organization

The cybersecurity framework requirement varies by organization size:

Larger organizations with 250 or more employees must align their cybersecurity plans with the full National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and the requirements of Executive Order 14028.

Smaller organizations with fewer than 250 employees may use the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Performance Goals (CPGs) as an alternative standard. The CPGs are a right-sized, prioritized subset of high-impact cybersecurity practices designed to be achievable by organizations with limited cybersecurity resources. They are aligned with the NIST CSF but reduce the compliance burden to a manageable set of 38 controls across five domains.

For the SCRM plan, all subgrantees must implement the key practices in NIST Interagency Report 8276 (NISTIR 8276), Key Practices in Cyber Supply Chain Risk Management, and NIST Special Publication 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.

If you’re unsure which standard applies to your organization, your state broadband office can clarify. In most cases, the determination is straightforward: it is based on your total employee headcount at the time of attestation.

What a Compliant Cybersecurity Plan Must Contain

A compliant cybersecurity plan must reflect your organization’s technology environment and risk posture. NTIA reviewers and state broadband offices evaluate these plans for substantive content — evidence that your organization has assessed its posture and is actively managing identified risks.

At minimum, a compliant cybersecurity plan must include:

• Grant award information. Your Federal Award Identification Number, organization name and contact information, project name and type, and the name and contact information of the point of contact responsible for the plan.

• Governance description. A high-level description of how cybersecurity risk management is organized within your organization — who’s responsible, what their roles are, and how resources are allocated.

• IT and operational technology (OT) asset inventory. A documented inventory of all technology assets associated with the grant-funded project, including both IT and OT systems.

• Risk mitigation actions and controls. A documented list of the cybersecurity controls your organization is implementing, mapped to the applicable framework (the NIST CSF or CISA CPGs). This must include a prioritized list of gaps and a remediation roadmap with target implementation dates for each gap.

• Closeout provisions. Instructions for the disposition of cyber assets and the transfer of system documentation in the event of a change in ownership or operation of the grant-funded network.

The plan must reflect your organization’s true security posture, not an aspirational state. If controls are not yet implemented, the plan should say so and describe when and how they will be addressed.

What a Compliant SCRM Plan Must Contain

The SCRM plan addresses a different but equally important set of risks: the possibility that the equipment, software, or services your organization procures could be compromised, counterfeit, or sourced from prohibited vendors.

At minimum, a compliant SCRM plan must include:

• Grant award information. The same Federal Award Identification Number, organization contact information, and point of contact details required in the cybersecurity plan.

• Governance description. How SCRM is organized within your organization, including roles, responsibilities, and decision-making authority over procurement.

• Vendor governance framework. How your organization identifies, evaluates, and manages vendors, including risk tiering, vendor assessment criteria, and the cybersecurity requirements embedded in your procurement contracts.

• SCRM controls. The SCRM controls your organization is implementing, aligned to NISTIR 8276 and NIST SP 800-161.

• Prohibited vendor compliance. Documentation that your organization does not use telecommunications equipment or services from prohibited vendors, including Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision, and Dahua Technology, as required by federal law.

• Periodic review commitment. A documented commitment to reevaluating and updating the SCRM plan on a regular basis and as events warrant.

The Most Common Challenges Subgrantees Face

Unfamiliarity with the frameworks.

Most broadband operators have not previously worked with the NIST CSF or CISA CPGs. The frameworks use specialized terminology and are organized in ways that are not immediately intuitive to someone whose primary expertise is in network operations, not cybersecurity. Understanding what each control requires in practice, and how to gather evidence of compliance, takes time and expertise to learn.

Generic documentation.

It’s tempting to find a template online, fill in your organization’s name, and submit it as your plan. State broadband offices and NTIA reviewers are increasingly sophisticated about identifying plans that do not reflect operational reality. A plan that cannot be corroborated by your practices is a liability, not a protection.

Limited staff capacity.

Developing compliant cybersecurity and SCRM plans is a significant undertaking. For a small internet service provider or a lean municipal IT department, finding the bandwidth to do this work properly, while managing day-to-day operations and grant deployment activities, is difficult.

Compressed timelines.

The cybersecurity attestation requirement applies at the time the grant-funded network is made operational. As deployment timelines firm up, the window for developing compliant plans narrows quickly. Organizations that wait until deployment is imminent consistently find themselves under pressure.

What Compliant Plans Look Like in Practice

A well-developed cybersecurity plan for a typical BEAD subgrantee is a substantive document, typically 20 to 40 pages, that describes the organization’s governance structure, documents its asset inventory, maps its current security controls to the applicable framework, surfaces compliance gaps, and provides a roadmap for closing those gaps within defined timeframes.

It’s not a policy statement or a collection of vendor documentation. It’s an evidence-based record of your organization’s cybersecurity posture and a clear commitment to address gaps.

The SCRM plan is usually shorter — 15 to 25 pages — but requires equally careful development. The supply chain controls are less familiar territory for most organizations, and the vendor governance requirements often require new contractual language and procurement processes that take time to put in place.

Both plans should be developed in conjunction with a cybersecurity risk assessment that includes documentation review, personnel interviews, and technical evidence validation. The assessment findings inform the plans and provide the evidentiary basis for your attestation.

What You Should Do Now

If you have received a BEAD award and have not yet started work on your cybersecurity and SCRM plans, the time to start is now, not when your deployment timeline is six months away.

• Step 1 — Determine which standard applies to your organization. Confirm with your state broadband office whether you are subject to the full NIST CSF requirement or the CISA CPG alternative. This determination drives everything else.

• Step 2 — Assess your current posture honestly. Before you can develop compliant plans, you need to understand where your organization stands today. A structured assessment against the applicable framework will identify gaps and give you a prioritized roadmap to address them.

• Step 3 — Start with your asset inventory. The IT and OT asset inventory is a foundational element of both plans. Starting this process early will accelerate the overall timeline significantly.

• Step 4 — Review your vendor contracts. Many organizations discover during SCRM plan development that their existing vendor agreements do not include the cybersecurity and incident reporting provisions that the BEAD requirement calls for. Updating contracts takes time, and some vendor negotiations move slowly.

• Step 5 — Engage technical assistance early. Whether you engage a firm directly or access technical assistance through your state broadband office’s program, doing so early gives you the time to develop substantive, evidence-based plans rather than rushing to meet a deadline.

  
  

How Securance Can Help

Securance Consulting provides end-to-end cybersecurity and SCRM plan technical assistance to BEAD subgrantees. We work with subgrantees directly and through state broadband office technical assistance programs. Our proven methodology produces compliant, defensible plans for organizations of all sizes and types — from small rural internet service providers to municipalities, utilities, and tribal governments.

Our process covers the complete engagement lifecycle: initial needs assessment, framework orientation, cybersecurity and SCRM risk assessments, plan development, and closeout documentation. We have delivered this service to multiple subgrantees and understand both the federal requirements and the operational realities of the organizations navigating them.

Whether your state broadband office is managing a technical assistance program or you’re engaging us directly, we can help you meet the NTIA’s cybersecurity requirement on time and with confidence.

Learn more about our BEAD cybersecurity technical assistance services at securanceconsulting.com/bead-cybersecurity, or call 877.578.0215 to discuss your organization’s needs.

Securance Consulting is a national cybersecurity and IT risk management firm. We hold an active contract with a state broadband office to deliver BEAD cybersecurity and SCRM plan technical assistance to subgrantees.