Funding Cyber Protection: A Closer Look at State and Local Grant Programs

Over the last few years, the Biden administration has heightened the awareness, requirements and activities associated with protecting the American government, critical infrastructure and counterparty commercial entities from cybersecurity attacks. Whether attacks are from state-sponsored entities or independent hacker groups such as Anonymous, there is a need to ensure appropriate controls are in place to protect America’s systems, infrastructure and governmental entities from cyber attacks that aim to disrupt operations or steal sensitive information.

As such, new presidential executive orders (EO), policy directives (PPD) and industry standards have arisen to address these concerns, providing guidance and direction. In some cases, federal funding assists entities in meeting the requirements. Examples include:

Presidential Executive Orders (EO)

Presidential Policy Directives (PPD)

Standards

While much attention has been given to federal programs and critical infrastructure, thousands of state and local governments across the U.S. are often vulnerable and short on the funding and skills necessary to implement appropriate security protections.

Some state and local government entities have challenges implementing strong cyber controls, either due to budget constraints, lack of qualified resources or other means. Those cases may represent a soft target for cybercriminals to exploit. Because of this, the lower level of cyber maturity and the ability to adequately detect, respond and recover from cyber intrusions may be limited and less capable than desired.

The Organizational Imperative for Our Nation’s Cybersecurity – Civic Way says fragmentation of state and local governments poses a daunting barrier to our nation’s cybersecurity. The Department of Homeland Security (DHS), through the Cybersecurity and Infrastructure Security Agency (CISA), is taking steps to help stakeholders across the country understand and reduce cyber related risks. Congress established the State and Local Cybersecurity Grant Program (SLCGP) to provide funding to eligible entities to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local or tribal governments.

Funding

The SLCGP provides funding of $1 billion over a four-year period. Funding for 2022 was $180 million with targeted future funding to include $400 million in FY2023, $300 million in FY2024 and $100 million in 2025. While this may sound like a lot of money, in practicality it is quite little. For 2022, the minimum allocated by the grant to a given state was approximately $2.2 million, while the largest states received upwards of between $5 million to $8.5 million. Imagine a state as large as Texas, allocating ~$6.5 million across state departments, 254 counties, and over 1700 cities, some of which are the largest municipalities in the country. These funds certainly won’t go far and fall far short of being relied upon to implement significant controls, tools or enhanced processes in any significant manner. Still, the funds represent an incentive for entities to apply, receive and use funding toward their greatest areas of need.

There is no guarantee that the SLCGP will be renewed each year. The CISA office will annually report to Congress on the effectiveness of the program to determine if the program will continue.

Program requirements

The key objectives of SLCGP, which can be found on the Cybersecurity and Infrastructure Security Agency’s SLGCP FAQ page, are to:

  • Develop and establish appropriate cybersecurity planning and governance
  • Understand cybersecurity posture and areas needing improvement
  • Implement protections commensurate with risks
  • Ensure personnel are trained in cybersecurity measures appropriate to job responsibilities

Once states receive their funds, they must deliver:

  • 80 percent of the funds to local governments
  • At least 25 percent of that must be made available under a grant passed through local, rural communities
  • Delivery needs to happen within 45 days of receipt of funds

The funds can be used for:

  • Developing, implementing and revising the cyber plan
  • Administration of the grant including training, hiring, and the purchase of equipment
  • Maintenance contracts or agreements
  • Warranty coverage
  • Licenses and user fees in support of a system or equipment
  • Hiring personnel; however, the applicant must address how these functions will be sustained when the funds are no longer available in their application.

What next? States should:

    1. Multi-factor authentication
    2. Enhanced logging to track intrusions and provide an audit trail of events and activities.
    3. Data encryption for data at rest and in transit
    4. Elimination of unsupported or” end of life “software and hardware that are accessible from the Internet
    5. Prohibit the use of known vendor-assigned default passwords and credentials
    6. The ability to restore functionality and availability of networks, systems and data
    7. Migration to the .gov internet domain for entities who were using domains not designated for government, like .org (non-profits) or .com (commercial organizations).

Cybersecurity planning committee

One of the requirements under SLCGP is the establishment of a planning committee. The Department of Homeland Security Notice of Funding Opportunity Fiscal Year 2022 State and Local Cybersecurity Grant Program | FEMA.gov outlines that the planning committee is responsible for developing, implementing and revising cybersecurity plans; formally approving the cybersecurity plan (along with the CIO and CISO, or equivalent official); and assisting with determination of effective funding priorities. To support these responsibilities, in addition to the representatives from the eligible entity itself, the planning committee must include respective representatives from the following constituent entities:

  • County, city and town representation (if the eligible entity is a state)
  • Institutions of public education within the eligible entity’s jurisdiction
  • Institutions of public health within the eligible entity’s jurisdiction
  • As appropriate, representatives from rural, suburban and high-population jurisdictions.

Cybersecurity plan

To qualify for funding under the program, the resulting cybersecurity plan should include the following components:

  • How the applicant will manage, monitor, and track information systems, applications, and user accounts they own and operate
  • How the applicant will monitor, audit, and track network activity traveling to and from information systems, applications and user accounts
  • How the applicant will improve the cyber response and resiliency of IT systems and applications
  • How the applicant will implement continuous vulnerability assessments and incorporate strategies to address cybersecurity threats to information systems and applications

Additional details are available here. To learn how one state (Nebraska) structured its multi-year approach, see pages 10-13 of this document.

Next steps

Most states have already applied for the funds, and state allocations have been established. Next steps are for state authorities to establish certain governance requirements and then work with state and local entities to further distribute the funds once they become available.

At the state level, a cybersecurity planning committee and a cybersecurity plan must be developed and approved by DHS. A governance program to manage the funding should be implemented to serve the subrecipient distribution process.

Local government entities should be in contact with the state’s cybersecurity planning committee to determine the application process, acceptance requirements and estimated timing for the funding.

It will be up to the states and state-level entities to determine how to best utilize any funding received for their purposes. Many entities who rely on third parties to assist in their implementations will likely need to procure services via established RFP processes based on estimated project threshold amounts.

The Federal Government’s National Cybersecurity Strategy provides much-needed guidance, information and funding to address critical need across the nation’s governmental entities. While “critical infrastructure” assets get the majority of attention based on their role and criticality to the nation’s operational resilience, the roles of supporting state and local governments are now being addressed with SLCGP legislation and funding. Those entities should work directly with state coordinators to understand the requirements to receive federal funds to assist. Significant accomplishments have been achieved at the state and local levels, however, more assistance will help to further mature their organizations, systems, and processes in an ever-changing cyber threat landscape.

Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.

To learn more about our cybersecurity solutions, contact us.

Michael Porier

Managing Director
Security and Privacy

Subscribe to Topics

Generative #AI is set to revolutionize the field of enterprise architecture. Get a comprehensive overview of the impact of #GenAI on EA activities, plus challenges, risks and limitations in the latest Technology Insights blog post. https://ow.ly/foPJ50SkUW6 #ProtivitiTech

Protiviti’s @KonstantHacker will join a panel to speak on “Quantum Leap: Securing Manufacturing's Next Frontier with Post Quantum Cryptography” on July 18 in Chicago, IL. Register today for this in-person event. https://ow.ly/s02X50SkfcI #ProtivitiTech #Quantum

Protiviti’s Kim Bozzella explains why it’s crucial for businesses to establish trust through transparent and secure data practices: “Losing trust means losing business.” Learn how to take action now. https://ow.ly/mIAX50Sjjju #ProtivitiTech #DataPrivacy

Protiviti’s Mark Carson discusses the importance of measuring analytics capabilities, the importance of taking an agile approach to analytics assessment, and the future of analytics maturity. Read more in TechTarget: https://ow.ly/GJKw50Siri7 #ProtivitiTech

Protiviti’s @KonstantHacker and guest Benedikt Fauseweh, of TU Dortmund University, discuss Richard Feynman’s 1981 quantum simulator idea, its relevance today and whether this work has anything to do with ‘The Three-Body Problem’ novel and Netflix show. https://ow.ly/CrRY50SibFV

Load More