Funding Cyber Protection: A Closer Look at State and Local Grant Programs

Over the last few years, the Biden administration has heightened the awareness, requirements and activities associated with protecting the American government, critical infrastructure and counterparty commercial entities from cybersecurity attacks. Whether attacks are from state-sponsored entities or independent hacker groups such as Anonymous, there is a need to ensure appropriate controls are in place to protect America’s systems, infrastructure and governmental entities from cyber attacks that aim to disrupt operations or steal sensitive information.

As such, new presidential executive orders (EO), policy directives (PPD) and industry standards have arisen to address these concerns, providing guidance and direction. In some cases, federal funding assists entities in meeting the requirements. Examples include:

Presidential Executive Orders (EO)

EO 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
EO 13691 – Promoting Private Sector Cybersecurity Information Sharing
EO 13681 – Improving the Security of Consumer Financial Transactions
EO 13636 – Improving Critical Infrastructure Cybersecurity
EO 13556 – Controlled Unclassified Information

Presidential Policy Directives (PPD)

PPD 41 – United States Cyber Incident Coordination
PPD 21 – Critical Infrastructure Security and Resilience

Standards

NIST Computer Security Resource Center – Extensive collection of standards, guidelines, recommendations, and research on the security and privacy of information and information systems.
Federal Information Processing Standards (FIPS) – Security standards
Special Publications (SP) 800 – Computer security
Special Publications (SP) 1800 – Cybersecurity practice guides

While much attention has been given to federal programs and critical infrastructure, thousands of state and local governments across the U.S. are often vulnerable and short on the funding and skills necessary to implement appropriate security protections.

Some state and local government entities have challenges implementing strong cyber controls, either due to budget constraints, lack of qualified resources or other means. Those cases may represent a soft target for cybercriminals to exploit. Because of this, the lower level of cyber maturity and the ability to adequately detect, respond and recover from cyber intrusions may be limited and less capable than desired.

The Organizational Imperative for Our Nation’s Cybersecurity – Civic Way says fragmentation of state and local governments poses a daunting barrier to our nation’s cybersecurity. The Department of Homeland Security (DHS), through the Cybersecurity and Infrastructure Security Agency (CISA), is taking steps to help stakeholders across the country understand and reduce cyber related risks. Congress established the State and Local Cybersecurity Grant Program (SLCGP) to provide funding to eligible entities to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local or tribal governments.

Funding

The SLCGP provides funding of $1 billion over a four-year period. Funding for 2022 was $180 million with targeted future funding to include $400 million in FY2023, $300 million in FY2024 and $100 million in 2025. While this may sound like a lot of money, in practicality it is quite little. For 2022, the minimum allocated by the grant to a given state was approximately $2.2 million, while the largest states received upwards of between $5 million to $8.5 million. Imagine a state as large as Texas, allocating ~$6.5 million across state departments, 254 counties, and over 1700 cities, some of which are the largest municipalities in the country. These funds certainly won’t go far and fall far short of being relied upon to implement significant controls, tools or enhanced processes in any significant manner. Still, the funds represent an incentive for entities to apply, receive and use funding toward their greatest areas of need.

There is no guarantee that the SLCGP will be renewed each year. The CISA office will annually report to Congress on the effectiveness of the program to determine if the program will continue.

Program requirements

The key objectives of SLCGP, which can be found on the Cybersecurity and Infrastructure Security Agency’s SLGCP FAQ page, are to:

Develop and establish appropriate cybersecurity planning and governance
Understand cybersecurity posture and areas needing improvement
Implement protections commensurate with risks
Ensure personnel are trained in cybersecurity measures appropriate to job responsibilities

Once states receive their funds, they must deliver:

80 percent of the funds to local governments
At least 25 percent of that must be made available under a grant passed through local, rural communities
Delivery needs to happen within 45 days of receipt of funds

The funds can be used for:

Developing, implementing and revising the cyber plan
Administration of the grant including training, hiring, and the purchase of equipment
Maintenance contracts or agreements
Warranty coverage
Licenses and user fees in support of a system or equipment
Hiring personnel; however, the applicant must address how these functions will be sustained when the funds are no longer available in their application.

What next? States should:

Establish a cybersecurity planning committee.
Create and execute a two to three-year statewide cybersecurity plan, which is required to be submitted for DHS review by September 30, 2023, to be considered for future funding cycles.
Each state’s cybersecurity plan must include the seven best practices outlined in the Bloomberg Federal Assistance e311 Content Workshop: Cybersecurity Funding and Solutions:

1. Multi-factor authentication
2. Enhanced logging to track intrusions and provide an audit trail of events and activities.
3. Data encryption for data at rest and in transit
4. Elimination of unsupported or” end of life “software and hardware that are accessible from the Internet
5. Prohibit the use of known vendor-assigned default passwords and credentials
6. The ability to restore functionality and availability of networks, systems and data
7. Migration to the .gov internet domain for entities who were using domains not designated for government, like .org (non-profits) or .com (commercial organizations).

Cybersecurity planning committee

One of the requirements under SLCGP is the establishment of a planning committee. The Department of Homeland Security Notice of Funding Opportunity Fiscal Year 2022 State and Local Cybersecurity Grant Program | FEMA.gov outlines that the planning committee is responsible for developing, implementing and revising cybersecurity plans; formally approving the cybersecurity plan (along with the CIO and CISO, or equivalent official); and assisting with determination of effective funding priorities. To support these responsibilities, in addition to the representatives from the eligible entity itself, the planning committee must include respective representatives from the following constituent entities:

County, city and town representation (if the eligible entity is a state)
Institutions of public education within the eligible entity’s jurisdiction
Institutions of public health within the eligible entity’s jurisdiction
As appropriate, representatives from rural, suburban and high-population jurisdictions.

Cybersecurity plan

To qualify for funding under the program, the resulting cybersecurity plan should include the following components:

How the applicant will manage, monitor, and track information systems, applications, and user accounts they own and operate
How the applicant will monitor, audit, and track network activity traveling to and from information systems, applications and user accounts
How the applicant will improve the cyber response and resiliency of IT systems and applications
How the applicant will implement continuous vulnerability assessments and incorporate strategies to address cybersecurity threats to information systems and applications

Additional details are available here. To learn how one state (Nebraska) structured its multi-year approach, see pages 10-13 of this document.

Next steps

Most states have already applied for the funds, and state allocations have been established. Next steps are for state authorities to establish certain governance requirements and then work with state and local entities to further distribute the funds once they become available.

At the state level, a cybersecurity planning committee and a cybersecurity plan must be developed and approved by DHS. A governance program to manage the funding should be implemented to serve the subrecipient distribution process.

Local government entities should be in contact with the state’s cybersecurity planning committee to determine the application process, acceptance requirements and estimated timing for the funding.

It will be up to the states and state-level entities to determine how to best utilize any funding received for their purposes. Many entities who rely on third parties to assist in their implementations will likely need to procure services via established RFP processes based on estimated project threshold amounts.

The Federal Government’s National Cybersecurity Strategy provides much-needed guidance, information and funding to address critical need across the nation’s governmental entities. While “critical infrastructure” assets get the majority of attention based on their role and criticality to the nation’s operational resilience, the roles of supporting state and local governments are now being addressed with SLCGP legislation and funding. Those entities should work directly with state coordinators to understand the requirements to receive federal funds to assist. Significant accomplishments have been achieved at the state and local levels, however, more assistance will help to further mature their organizations, systems, and processes in an ever-changing cyber threat landscape.

Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.

To learn more about our cybersecurity solutions, contact us.