BEAD applicants are required to have cybersecurity and supply chain risk management plans that meet very specific best practices requirements established by the NTIA. Individual states or Eligible Entities may also require additional measures, though most do not. 

These plans must be operational if applicants are providing service at the time of the grant, or ready to be operationalized if they are not yet providing service. 

If applicants make any substantive changes to their plans, a new version must be submitted to the state within 30 days. If they rely in whole or in part on network facilities owned or operated by a third party (e.g., purchases wholesale carriage on such facilities), the state will need to obtain attestations from the network provider for both cybersecurity and supply chain risk management practices.

Questions to ask before completing this section

Do you have a cybersecurity risk management plan that:

Do you have a cybersecurity supply chain risk management plan that:

Will your state require additional cybersecurity measures above and beyond what NTIA requires?

Will you need to certify cybersecurity capacity in the pre-qualification round?

  • Depending on your state, you may need to gather this information months before the application window opens. If this is the case, prioritize creating and certifying your mitigation plan in early 2024.


Questions? Get in touch. 

If you have any additional questions or would like help with your BEAD application, please contact us.