How the Cyber Grant Funding Will Work
Under the section of the law known as the State and Local Cybersecurity Improvement Act, state, local and tribal governments can access to up to $1 billion in grants to address cybersecurity risks and cybersecurity threats to information systems. The law funds the program at $200 million in fiscal year (FY) 2022, $400 million in FY 2023, $300 million in FY 2024 and $100 million in FY 2025.
The language of the law says that eligible plans need to incorporate, to the extent practicable, “any existing plans of the eligible entity to protect against cybersecurity risks and cybersecurity threats to information systems,” with states consulting with local governments.
The plans also need to describe how the government entity will “manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of” the government. Plans must describe efforts to manage and audit network traffic, as well as how the government intends to “enhance the preparation, response, and resiliency of information systems, applications, and user accounts.”
Importantly, plans also must implement a process of “continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by” the government entity.
Applications for state and local agencies will likely be released in March or April, and it seems like May would be the earliest grants are approved. As StateScoop reports, Doug Robinson, executive director of the National Association of State Chief Information Officers, said last month that the funds likely won’t arrive in states’ coffers until late in their fiscal years, which is usually at the end of June.
State and local governments should be building teams now that will handle the grant application and implementation process. They need to determine which officials will act as quarterbacks for these efforts. Agencies may also need to line up funding to ensure that proposed grant activities can be completed on time.
How State and Local Agencies Can Approach Cybersecurity Anew
Although not explicitly stated in the law, state and local officials should expect that many of the requirements placed on federal agencies around cybersecurity via a 2021 executive order — a shift to zero-trust architectures, the adoption of multifactor authentication and modern encryption tools — will start to trickle down to them.
The grant application process is an excellent opportunity for state and local IT leaders to consider how they are going to fill IT security gaps now and how they can put in place processes to test their infrastructure on an ongoing basis. Cybersecurity in 2022 should not be a “set and forget it” exercise.
Simply purchasing firewalls and endpoint detection and response tools, while worthwhile, will not make state and local governments compliant. The grants are a way of signaling to agencies that the federal government wants cybersecurity to be something of which state and local leaders take ownership.
The process is designed to help agencies determine where their IT security gaps are and how to maintain security via new policies and enforcement.
Some governments are more forward-leaning and mature in their cybersecurity development than others. This should be a chance for a rising tide to lift all boats. Smaller government entities may want to consider working with a trusted third party to conduct a cybersecurity assessment or work with them on grant applications.
Cybersecurity has always been a key concern for state and local governments. After many years of trying, they are finally getting targeted federal funding for it. Now is the time to make the most of available resources and reframe how to approach cybersecurity.