Broadband Funding: Stronger Management of Performance and Fraud Risk Needed for Tribal and Public-Private Partnership Grants
Fast Facts
Tribal, rural, and economically disadvantaged areas are more likely to not have access to broadband service—which is vital for things like remote learning, telework, and telehealth.
The National Telecommunications and Information Administration (NTIA) manages two grant programs that work to expand broadband access. We found that for one of these programs the agency's goals include extending reliable, affordable broadband to 200,000 households. However, NTIA doesn't define terms like 'reliable' and 'affordable', so it can't quantify them.
We recommended that NTIA improve how it measures the performance of these programs.
Highlights
What GAO Found
The National Telecommunications and Information Administration's (NTIA) management of the Tribal Broadband Connectivity Program (TBCP) and Broadband Infrastructure Program (BIP) was generally consistent with recommended practices for awarding grants. However, NTIA took longer than expected to announce awards. For example, NTIA expected to announce TBCP award decisions in November 2021 but, as of September 2022, was continuing to announce awards on a rolling basis. NTIA officials said that the agency received many more applications than expected and needed to return more than three-quarters of TBCP applications for additional information. This step lengthened evaluation and selection. As of September 2022, NTIA had announced $726 million in TBCP awards and had announced all $288 million in BIP awards.
NTIA developed some performance goals and measures for TBCP and BIP, but they did not include all primary functions nor were they fully quantifiable. (See table). For example, NTIA set a TBCP goal to extend reliable, affordable broadband to 200,000 households, but did not include a goal related to funding broadband use and adoption projects, a key program function. Moreover, NTIA's goals for both programs included terms such as “reliable” and “affordable” that are not defined and therefore are not fully quantifiable. NTIA officials said that the agency was still developing goals and measures. Without comprehensive goals and measures, NTIA will be unable to track its progress.
Program Alignment with Selected Key Attributes of Successful Performance Goals and Measures
|
Key attributes of successful performance goals and measures |
Tribal Broadband Connectivity Program |
Broadband Infrastructure Program |
|---|---|---|
|
Objective: free of significant bias or manipulation |
✔ |
✔ |
|
Primary function: reflect the program's main functions |
✖ |
✔ |
|
Measurable and quantifiable |
✖ |
✖ |
|
Linkage: reflect the agency's strategic goals |
✔ |
✔ |
✔ indicates goal and measure fully aligned with key attribute
✖ indicates goal and measure did not fully align with key attribute in which some or all aspects were not met
Source: GAO analysis of Department of Commerce and U.S. Department of Agriculture documentation. | GAO-23-105426
NTIA's fraud risk management activities did not fully align with selected leading practices. Several offices in the Department of Commerce have roles in fraud risk management, but none was designated as lead. Additionally, NTIA did not conduct a fraud risk assessment, as called for by leading practices, by comprehensively identifying fraud risks, assessing the likelihood and impact of fraud, setting fraud risk tolerance, examining current antifraud controls, and documenting the fraud risk profile. Without designating an entity to oversee fraud risk management activities and conducting a five-step fraud risk assessment, NTIA lacks assurance that it is sufficiently positioned to combat fraud.
Why GAO Did This Study
Broadband access is critical for economic opportunity, healthcare, and civic engagement. The Consolidated Appropriations Act, 2021, established two new broadband grant programs—TBCP and BIP. NTIA issued a notice of funding opportunity for BIP in May 2021 and for TBCP in June 2021. NTIA allocated $2.98 billion (from two separate appropriations) for TBCP and $288 million for BIP.
The Consolidated Appropriations Act, 2021, includes a provision for GAO to review the grants awarded under these programs. This report examines the extent to which NTIA's administration of TBCP and BIP aligned with relevant practices for (1) awarding grants, (2) performance management, and (3) fraud risk management.
GAO reviewed NTIA program documentation. GAO also interviewed program officials, industry associations, and a non-generalizable sample of program participants selected to reflect a variety in project types, geography, and other factors.
Recommendations
GAO is making 15 recommendations to NTIA to better measure TBCP and BIP performance and to complete fraud risk management activities. NTIA agreed with the recommendations and outlined actions to address them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| National Telecommunications and Information Administration | For TBCP, the Administrator of NTIA should establish performance goals and measures for all of the program's purposes—funding broadband use and adoption projects as well as funding broadband infrastructure deployment projects. (Recommendation 1) |
In 2024, we confirmed that NTIA had taken actions implement this recommendation. NTIA established performance goals and measures for broadband use and adoption projects within TBCP by combining the project goals of TBCP award recipients. NTIA identified these project goals through required forms that TBCP awards recipients must provide to NTIA. Those project goals consist of the performance measures of projecting the number of tribal households, businesses and anchor institutions that receive new access to broadband through TBCP use and adoption projects. NTIA uses the required forms to collect performance data on an ongoing basis from TBCP recipients until award closeout. With these performance goals and measures in place, NTIA is better positioned to gauge TBCP's progress in meeting its strategic and intended goals.
|
| National Telecommunications and Information Administration | For TBCP, the Administrator of NTIA should ensure the performance goal is quantifiable and measurable by defining broadband reliability and affordability. (Recommendation 2) |
In July 2024, we confirmed that NTIA's second TBCP Notice of Funding Opportunity (NOFO) applied the definitions for affordability and reliability used in the Broadband Equity, Access, and Deployment Program (BEAD). For affordability, BEAD previously addressed this concept in its NOFO and defined a "low-cost option" for new broadband networks that is now referenced in the second TBCP NOFO. Regarding reliability, NTIA defined this concept as a quality of service performance measure such that network outages do not exceed, on average, 48 hours over any 365-day period. By defining affordability and reliability to make them and the TBCP goal measurable and quantifiable, NTIA is better able to demonstrate whether it is meeting desired strategic and intended goals.
|
| National Telecommunications and Information Administration | For TBCP, the Administrator of NTIA should designate a dedicated entity to lead fraud risk management activities for the program. (Recommendation 3) |
In July 2024, GAO confirmed that the NTIA Office of Internet Connectivity and Growth (OICG) designated the Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for TBCP. Specifically, RMC is to provide governance and oversight over the conduct of risk management for TBCP. RMC is also to provide TBCP timely identification, assessment, and response to the greatest priority risks to strategic goals and objectives. By designating the RMC as the lead entity to oversee fraud risk management activities for TBCP, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud.
|
| National Telecommunications and Information Administration |
Priority Rec.
For TBCP, the Administrator of NTIA should ensure that the dedicated entity identifies inherent fraud risks in the program. (Recommendation 4) |
In 2023, we reported that the National Telecommunications and Information Administration's (NTIA) fraud risk management activities did not fully align with leading practices. For example, NTIA took some steps to identify inherent fraud risks in the Tribal Broadband Connectivity Program (TBCP). However, NTIA did not conform to the leading practice of having a dedicated lead entity comprehensively identify the inherent fraud risks as part of its fraud risk assessment. Therefore, we recommended that NTIA should ensure that the dedicated entity identifies the inherent risks for TBCP. In July 2024, we confirmed that NTIA designated its Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for TBCP. In September 2025, NTIA provided us with documentation demonstrating that RMC had identified four inherent risks to TBCP, including those related to collusion, improper payments, and conflicts of interest. By identifying these inherent risks, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud in TBCP.
|
| National Telecommunications and Information Administration | For TBCP, the Administrator of NTIA should ensure that the dedicated entity assesses the likelihood and impact of inherent fraud risks in the program. (Recommendation 5) |
In July 2024, GAO confirmed that NTIA designated its Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for TBCP. In September 2025, NTIA provided us with documentation demonstrating that RMC had identified several inherent risks to TBCP and assessed their likelihood in a range from moderately likely to highly likely. For example, NTIA assessed the risk of improper payments as highly likely and the risk of collusion between recipients and state, local, or tribal officials as moderately likely. By assessing the likelihood of the inherent risks, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud in TBCP.
|
| National Telecommunications and Information Administration | For TBCP, the Administrator of NTIA should ensure that the dedicated entity determines fraud risk tolerance for the program. (Recommendation 6) |
In July 2024, we confirmed that NTIA designated its Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for TBCP. In January 2026, NTIA provided us with documentation demonstrating that RMC set its fraud risk tolerance for TBCP as low based on its analysis. By determining the fraud risk tolerance, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud in TBCP.
|
| National Telecommunications and Information Administration | For TBCP, the Administrator of NTIA should ensure that the dedicated entity examines the suitability of existing antifraud controls in the program and prioritizes residual fraud risks. (Recommendation 7) |
In July 2024, we confirmed that NTIA designated its Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for TBCP. January 2026, NTIA provided us with documentation demonstrating that the RMC had examined the suitability of existing antifraud controls by comparing them to leading practices and prioritized residual fraud risks through treatment plans for mitigating them. The treatment plans included testing and evaluating program controls and strengthening them when necessary. By examining the suitability of existing antifraud controls and prioritizing residual fraud risk, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud in TBCP.
|
| National Telecommunications and Information Administration | For TBCP, the Administrator of NTIA should ensure that the dedicated entity documents the fraud risk profile for the program. (Recommendation 8) |
In July 2024, we confirmed that NTIA designated its Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for TBCP. In January 2026, NTIA provided us with RMC briefing slides that presented its fraud risk profile. The presentation documented the fraud risk assessment timeline, NTIA's fraud risk ratings, its response plan, its comparison to leading practices, its testing and evaluation of its fraud risk controls, and its fraud treatment plan for each residual fraud risk. The treatment plans included testing and evaluating program controls and strengthening them when necessary. By documenting the fraud risk profile for TBCP, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud.
|
| National Telecommunications and Information Administration | For BIP, the Administrator of NTIA should ensure the performance goal is quantifiable and measurable by defining broadband affordability. (Recommendation 9) |
In July 2024, GAO confirmed that NTIA said it would apply the definition of affordability that it established in the Broadband Equity, Access, and Deployment program to quantify and measure its affordability goal for BIP and updated the BIP Annual Report Form to collect the needed information. In September 2025, NTIA provided a documentation showing that it defined a "low-cost option" for new broadband networks and indicating it revised its BIP Annual Report Form to require recipients to report on the price ranges for the broadband services they provided as part of BIP. This definition and pricing information will allow NTIA to track the extent to which the broadband is affordable based on the definition established in the Broadband Equity, Access, and Deployment program. By doing so, NTIA will be better able to demonstrate whether it is meeting its goal under BIP of providing affordable broadband service.
|
| National Telecommunications and Information Administration | For BIP, the Administrator of NTIA should designate a dedicated entity to lead fraud risk management activities for the program. (Recommendation 10) |
In July 2024, GAO confirmed that the NTIA Office of Internet Connectivity and Growth (OICG) designated the Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for BIP. Specifically, RMC is to provide governance and oversight over the conduct of risk management for BIP. RMC is also to provide BIP timely identification, assessment, and response to the greatest priority risks to strategic goals and objectives. By designating the RMC as the lead entity to oversee fraud risk management activities for BIP, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud.
|
| National Telecommunications and Information Administration | For BIP, the Administrator of NTIA should ensure that the dedicated entity identifies inherent fraud risks in the program. (Recommendation 11) |
In July 2024, we confirmed that NTIA designated its Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for BIP. In September 2025, NTIA provided us with documentation demonstrating that RMC had identified four inherent risks to BIP, including those related to collusion, improper payments, and conflicts of interest. By identifying these inherent risks, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud in BIP.
|
| National Telecommunications and Information Administration | For BIP, the Administrator of NTIA should ensure that the dedicated entity assesses the likelihood and impact of inherent fraud risks in the program. (Recommendation 12) |
In July 2024, we confirmed that NTIA designated its Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for BIP. In July 2025, NTIA provided us with documentation demonstrating that RMC had identified several inherent risks to BIP and assessed their likelihood in a range from moderately likely to highly likely. For example, NTIA assessed the risk of improper payments as highly likely and the risk of collusion between recipients and state, local, or tribal officials as moderately likely. By assessing the likelihood of the inherent risks, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud in BIP.
|
| National Telecommunications and Information Administration | For BIP, the Administrator of NTIA should ensure that the dedicated entity determines fraud risk tolerance for the program. (Recommendation 13) |
In July 2024, we confirmed that NTIA designated its Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for BIP. In January 2026, NTIA provided us with documentation demonstrating that RMC set its fraud risk tolerance for BIP as low based on its analysis. By determining the fraud risk tolerance, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud in BIP.
|
| National Telecommunications and Information Administration | For BIP, the Administrator of NTIA should ensure that the dedicated entity examines the suitability of existing antifraud controls in the program and prioritizes residual fraud risks. (Recommendation 14) |
In July 2024, we confirmed that NTIA designated its Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for BIP. In January 2026, NTIA provided us with documentation demonstrating that the RMC had examined the suitability of existing antifraud controls by comparing them to leading practices and prioritized residual fraud risks through treatment plans for mitigating them. The treatment plans included testing and evaluating program controls and strengthening them when necessary. By examining the suitability of existing antifraud controls and prioritizing residual fraud risk, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud in BIP.
|
| National Telecommunications and Information Administration | For BIP, the Administrator of NTIA should ensure that the dedicated entity documents the fraud risk profile for the program. (Recommendation 15) |
In July 2024, we confirmed that NTIA designated its Programs Risk Management Council (RMC) as the entity to lead fraud risk management activities for BIP. In January 2026, NTIA provided us with RMC briefing slides that presented its fraud risk profile. The presentation documented the fraud risk assessment timeline, NTIA's fraud risk ratings, its response plan, its comparison to leading practices, its testing and evaluation of its fraud risk controls, and its fraud treatment plan for each residual fraud risk. The treatment plans included testing and evaluating program controls and strengthening them when necessary. By documenting the fraud risk profile for BIP, NTIA has enhanced assurance that it is sufficiently positioned to combat fraud.
|