$2 billion in grants are available for state, local, tribal, and territorial cybersecurity plans.
Key takeaways
The funding and required compliance measures can create a more effective cybersecurity approach.
To take advantage of funding, states must understand eligibility requirements and processes.
Within the $1.2 trillion Infrastructure Investment and Jobs Act (IIJA), the State and Local Cybersecurity Grant Program will appropriate nearly $2 billion in federal grants in fiscal years 2022 through 2025 to directly support and enhance cybersecurity programs owned or operated by state, local, tribal and territorial governments.
However, becoming eligible for a grant has its challenges. Approval requires collaboration at all levels of government (including the establishment of a planning committee) and a documented cybersecurity plan. Two states have chosen to decline the funding based on effort and allocation considerations. But the funding, and the compliance measures required to receive it, can serve as a catalyst for developing a more effective cybersecurity foundation, with potential benefits that include:
- Economies of scale: The IIJA funding allows for local governments to realize advantages from cybersecurity modernization efforts occurring at the state level in order to help local and rural governments close the historic gap between organizations situated above and below the cyber poverty line.
- Common technology and protection mechanisms: Shared services (e.g., a cyber threat intelligence-sharing platform) and technology investments (e.g., modern endpoint protection and response) can be established to benefit all levels of state government, including state agencies, utilities, rural governments, and school districts. The regional security operations centers in Texas are one example of this shared approach.
- Common methods to measure success: Solving cybersecurity problems across a state requires collaboration at all levels of government. The available IIJA funds drive a common structure to measure progress across the state, including the establishment of common mechanisms and success metrics.
Driving a ‘whole-of-state’ approach
The available funds come at an optimal time, as chief information security officers for state governments look to embrace their entire state and extend their leadership reach to all levels of government, including the local level. A whole-of-state approach with centralized investments can drive economies of scale and consistency in cybersecurity architecture across state as well as local government agencies.
Breaking down the top considerations when seeking IIJA funds
1. Meeting eligibility requirements
Cybersecurity planning committee
The committee is tasked with identifying and prioritizing statewide efforts, as well as identifying opportunities to consolidate projects to increase efficiencies. Guidelines for committee formation include the following:
- The committee should consider participation from any previously established technology or cybersecurity focused advisory bodies.
- The committee structure, including the number of members, should meet the requirements of the IIJA and the Notice of Funding Opportunity.
- At least 50% of the members must have professional experience related to cybersecurity or information technology.
- Membership should include individuals with additional expertise based on individual state needs.
Cybersecurity plan
The cybersecurity plan is the statewide planning document that must be approved by the cybersecurity planning committee and the state’s chief information officer, CISO, or equivalent. The plan must align with the stated purposes of IIJA funding, as summarized below.
Funds can be used for:
- Capital purchases (e.g., IT infrastructure)
- Managed services (e.g., security operations, managed detection and response)
- Consulting services (e.g., strategic planning, assessments, penetration testing)
Funds cannot be used for:
- Supplanting existing costs (e.g., license renewals)
- Hiring employees
Additionally, the plan and individual projects must consider common security best practices that move states toward a zero trust architecturemodel, in alignment with President Joe Biden’s 2021executive orderon improving the nation’s cybersecurity. These practices include but are not limited to, the following:
- Multifactor authentication
- Enhanced logging
- Data encryption
- Removal of end-of-life/end-of-use assets from the internet
- Strong passwords/authentication
- Business continuity plans
- Migration to the .gov internet domain
2. Allocating funds (with whole-of-state benefits)
With 80% of the funding required to be allocated to local governments (including a minimum of 25% for rural areas), the impact across the state could be realized through either individual entity allocations or a centralized approach. This whole-of-state strategy focuses on establishing, expanding, and improving major programs as a shared state investment utilized by state and local government agencies, and starts with building collaborative relationships between the state and local agencies.
The main areas of opportunity include the sharing of the:
- Services: Establish a shared cybersecurity capability that can be delivered at scale across state and local government agencies. These services generally include tools and shared processes supported centrally. Common examples include cybersecurity awareness training, cyber threat intelligence, and information sharing, vulnerability scanning, cyber assessments (e.g., control, risk, and penetration testing), or a centralized security operations center such as the joint center in New York.
- Tools: Utilize statewide buying power to evaluate, select and purchase licenses at scale in order to drive cost-effective solution modernization. Deployment and management of these solutions would be decentralized. Common examples include purchases of modern endpoint detection and response solutions, backup and recovery tools, and network firewalls.
- Practices: Develop standardized processes, templates, and training materials that can be easily ingested and updated by each agency. This center of excellence centralized model drives consistency and collaboration based on leading standards. Common examples include cyber incident response, business continuity planning, and IT disaster recovery planning.
3. Distributing funds
Funds will be distributed incrementally to support projects throughout the performance period of up to four years. FEMA will be responsible for the oversight of appropriated funds. States will use their state administrative agencies to receive funds from the federal government and then distribute the funding to local governments in accordance with state law.
Governments should pursue two critical action items prior to applying for funding:
- Undergo a cybersecurity assessment: Entities should undergo a cybersecurity assessment using a nationally recognized cybersecurity framework—e.g., the National Institute of Standards and Technology (NIST) framework—to identify gaps against best practices that could then be resolved through future funding.
- Develop an incident response plan: A well-defined IRP is critical to success in obtaining funding, as it demonstrates that the entity has readiness provisions for application processes and knows what to do in the event of a cyberattack.
4. Measuring progress
In conjunction with FEMA, to ensure ongoing monitoring and the effective use of funds, an entity can use several methods to track performance and ongoing progress, demonstrating whether funds have provided benefits.
These benefits include:
- Check-ins with the CISO and leadership
- Establish all-hands forums, roadshows, and other group events to monitor overall progress, direction, and project health.
- Key metrics for determining funding impact:
- Develop key metrics for monitoring investment impact by performing periodic cybersecurity assessments using a common framework and scoring methodology.
5. Planning for the future
The funding is available for allocation until 2025 but will eventually be exhausted. Funding for the long term includes careful planning with vendors, partners, and the legislators or districts benefiting from the established programs. Establishing these cybersecurity programs will allow for the clear benefit to be seen when considering protecting and defending key citizen services. However, the baseline of all “whole of state” programs should begin with cross-agency collaboration to allow organizations to continue to share knowledge and best practices beyond the grant’s cybersecurity plan.
Bringing it all together
Receiving the available IIJA funds will open the door for state and local governments to collaborate on cybersecurity, establish cross-functional programs, and create or enhance existing programs. Program execution will require coordinated project management, planning, and ongoing management.
See related insights
Subscribe to Risk Bulletin
Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.
