(a) A 5G Fund support recipient must implement operational cybersecurity and supply chain risk management plans meeting the requirements of this section as a condition of receiving 5G Fund support.

(b) A 5G Fund support recipient must certify that it has implemented plans required under paragraph (a) of this section and submit the plans to the Administrator by the date announced by the Office of Economics and Analytics and the Wireline Competition Bureau in a public notice or within 30 days after approval under the Paperwork Reduction Act, whichever is later.

(c) A 5G Fund support recipient that fails to comply with any 5G Fund cybersecurity or supply chain risk management requirement is subject to the following non-compliance measures:

(1) The Wireline Competition Bureau shall direct the Administrator to withhold 25 percent of the 5G Fund support recipient's monthly support for failure to comply with paragraph (b) of this section until the support recipient makes the required certification and submits the required plans.

(2) At any time during the support term, if a 5G Fund support recipient does not have in place operational cybersecurity and supply chain risk management plans meeting the requirements of this section, the Wireline Competition Bureau shall direct the Administrator to withhold 25 percent of the support recipient's monthly support.

(3) Once the 5G Fund support recipient comes into compliance, the Administrator shall stop withholding support, and the support recipient will receive all of the support that had been withheld pursuant to this section.

(d) A 5G Fund support recipient's cybersecurity risk management plan must reflect at least the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity v.1.1 (2018) (NIST Framework) or any successor version of the NIST Framework, and must reflect established cybersecurity best practices that address each of the Core Functions described in the NIST Framework, such as the standards and controls set forth in the Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Cross-sector Performance Goals and Objectives or the Center for internet Security Critical Security Controls.

(e) A 5G Fund support recipient's supply chain risk management plan must incorporate the key practices discussed in NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry, and related supply chain risk management guidance from NIST 800-161.

(f) If a 5G Fund support recipient makes a substantive modification to a plan under this section, the carrier must file an updated plan with the Administrator within 30 days of making the modification. A modification to a plan under this section is substantive if at least one of the following conditions apply:

(1) There is a change in the plan's scope, including any addition, removal, or significant alternation to the types of risks covered by the plan (e.g., expanding a plan to cover new areas, such as supply chain risks to Internet of Things devices or cloud security, could be a substantive change);

(2) There is a change in the plan's risk mitigation strategies (e.g., implementing a new encryption protocol or deploying a different firewall architecture);

(3) There is a shift in organizational structure (e.g., creating a new information technology department or hiring a Chief Information Security Officer);

(4) There is a shift in the threat landscape prompting the organization to recognize that emergence of new threats or vulnerabilities that were not previously accounted for in the plan;

(5) Updates are made to comply with new cybersecurity regulations, standards, or laws;

(6) Significant changes are made in the supply chain, including offboarding major suppliers or vendors, or shifts in procurement strategies that may impact the security of the supply chain; or

(7) A large-scale technological change is made, including the adoption of new systems or technologies, migrating to a new information technology infrastructure, or significantly changing the information technology architecture.

(g) Compliance with paragraphs (b) and (f) of this section will not be required until after the completion of such review by the Office of Management and Budget as the Office of Economics and Analytics and Wireline Competition Bureau deem necessary. The Commission will publish a document in the Federal Register announcing that compliance date and revising or removing this paragraph (g).