How State and Local Governments Should Prepare for Future Cyber Grants

Governments should start applying now for federal cybersecurity grants, which should start flowing later this year. Here’s how to make such efforts successful.

Your browser doesn’t support HTML5 audio

For state and local governments, the Infrastructure Investment and Jobs Act offers much to be excited about, including billions of dollars for broadband expansion and new smart city grants.

However, it is the cybersecurity grants in the legislation that have received attention in recent weeks. Cybersecurity and Infrastructure Security Agency Director Jen Easterly told local officials in January that she wants them to make cybersecurity a “kitchen table issue” and that she is working with the Federal Emergency Management Agency on guidance for the grant program, which she’s “looking to get out in the next few months,” StateScoop reports.

Meanwhile, local government officials are worried they will be left out of the funding or won’t have the expertise on hand to successfully apply for and receive grants, noted Alan Shark, executive director of CompTIA’s Public Technology Institute, during a recent event.

Small and rural localities should not worry too much. The law clearly sets aside cybersecurity grant money just for municipalities fitting that description.

However, now is the time for government agencies of all sizes to start strategizing on grants and rethinking the fundamentals of cybersecurity. The grants should be an opportunity for agencies to see IT security as more than just purchasing new firewalls; it should be about creating a practice of taking ownership over their cybersecurity.

Click the banner below to get access to a customized cybersecurity content experience.

How the Cyber Grant Funding Will Work

Under the section of the law known as the State and Local Cybersecurity Improvement Act, state, local and tribal governments can access to up to $1 billion in grants to address cybersecurity risks and cybersecurity threats to information systems. The law funds the program at $200 million in fiscal year (FY) 2022, $400 million in FY 2023, $300 million in FY 2024 and $100 million in FY 2025.

The language of the law says that eligible plans need to incorporate, to the extent practicable, “any existing plans of the eligible entity to protect against cybersecurity risks and cybersecurity threats to information systems,” with states consulting with local governments.

The plans also need to describe how the government entity will “manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of” the government. Plans must describe efforts to manage and audit network traffic, as well as how the government intends to “enhance the preparation, response, and resiliency of information systems, applications, and user accounts.”

Importantly, plans also must implement a process of “continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by” the government entity.

Applications for state and local agencies will likely be released in March or April, and it seems like May would be the earliest grants are approved. As StateScoop reports, Doug Robinson, executive director of the National Association of State Chief Information Officers, said last month that the funds likely won’t arrive in states’ coffers until late in their fiscal years, which is usually at the end of June.

State and local governments should be building teams now that will handle the grant application and implementation process. They need to determine which officials will act as quarterbacks for these efforts. Agencies may also need to line up funding to ensure that proposed grant activities can be completed on time.

DIVE DEEPER: How can security operations centers help state governments?

How State and Local Agencies Can Approach Cybersecurity Anew

Although not explicitly stated in the law, state and local officials should expect that many of the requirements placed on federal agencies around cybersecurity via a 2021 executive order — a shift to zero-trust architectures, the adoption of multifactor authentication and modern encryption tools — will start to trickle down to them.

The grant application process is an excellent opportunity for state and local IT leaders to consider how they are going to fill IT security gaps now and how they can put in place processes to test their infrastructure on an ongoing basis. Cybersecurity in 2022 should not be a “set and forget it” exercise.

Simply purchasing firewalls and endpoint detection and response tools, while worthwhile, will not make state and local governments compliant. The grants are a way of signaling to agencies that the federal government wants cybersecurity to be something of which state and local leaders take ownership.

The process is designed to help agencies determine where their IT security gaps are and how to maintain security via new policies and enforcement.

Some governments are more forward-leaning and mature in their cybersecurity development than others. This should be a chance for a rising tide to lift all boats. Smaller government entities may want to consider working with a trusted third party to conduct a cybersecurity assessment or work with them on grant applications.

Cybersecurity has always been a key concern for state and local governments. After many years of trying, they are finally getting targeted federal funding for it. Now is the time to make the most of available resources and reframe how to approach cybersecurity.

This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.

More On Funding, IT Governance, Policies, Security, Risk Assessment, Threat Prevention,