Security

States Can Start Planning How to Best Spend Upcoming Cybersecurity Grants

Governments have options to consider when allocating funds from the Infrastructure Investment and Jobs Act.

Curtiss Strietelmeier is a Public Sector Funding Strategist with CDWG, he works with state and local governments to provide clarity around federal funding opportunities. Dr. Strietelmeier writes for ConnectIT and StateTech Magazine, consults with organizations on technology initiatives and projects, and presents at conferences around the country.

In the near future, the Biden Administration will issue guidance for state grants under the 2021 Infrastructure Investment and Jobs Act (IIJA). The $1.2 trillion act provides $2 billion in funding for cybersecurity grants, half of which will materialize as a grant program for state governments.

The Federal Emergency Management Agency will administer the $1 billion grant program, disbursed to state governments from 2022–2025. States will welcome the money, as threats over the past several years have placed an even greater emphasis on cybersecurity. As ransomware attacks continue unabated, government agencies will use the fresh funding to protect their systems.

States must share that grant money with localities, which are far behind in their cybersecurity defenses. “Dollars should be focused primarily on bringing local governments up to a basic state of hygiene, because many are far behind standards,” says Mike Hamilton, Critical Insight CISO and former CISO for the city of Seattle.

How can state and local governments best spend this money to bolster cybersecurity?

Click the banner below to get access to a customized Insider content experience.

Assess Cybersecurity Posture and Inventory Assets

Before purchasing anything, all agencies should begin with the Cybersecurity Framework developed by the National Institute of Standards and Technology. The framework is guidance to help organizations understand potential threats and vulnerabilities. Following the framework produces custom checklists for agencies. Those results can inform governments on what they might purchase to combat threats and mitigate vulnerabilities.

Conducting a security assessment and an asset inventory are key initiatives for all organizations. Knowing what’s on a network helps officials protect it. They also may uncover benefits from managed services or incident response.

State governments will not be able to use IIJA cybersecurity grants to hire people, unfortunately, and a lack of skilled workers is a constant challenge for the public sector. But sometimes, a product or service might fulfill a function that eases burdens on existing employees. Assessing what agencies might purchase beyond hardware or software could deliver greater returns. Purchasing a training module, for example, could strengthen employee skills in specific areas, and those employees could then share their knowledge.

Most incidents could have been prevented had security basics been done properly...”

Chris Yule Director, Secureworks Counter Threat Unit

Enforce Cyber Hygiene and Look to Multifactor Authentication

With ransomware a persistent threat to agencies and phishing a common method of installing ransomware, IT officials should turn purchase defenses against these attacks if they have not already. Multifactor authentication is a critical way to stop hacks against government systems before they begin, and instituting an MFA system is a critical step for agencies that do not yet have one.

According to Dark Reading, agencies should seek data analytics solutions if they lack them. Security information and event management technology and security orchestration, automation and response solutions would be good bets for spending federal grant money, as they gather information to inform agencies about likely threats. Local governments in particular should work hard on their basic cyber hygiene.

“Most incidents could have been prevented had security basics been done properly — identifying vulnerabilities, patching systems, using multifactor authentication for external access and using appropriate tools to detect unusual activity,” Chris Yule, director of the Secureworks Counter Threat Unit, tells Dark Reading.

LEARN ABOUT: The keys to countering cyberattacks against state and local agencies.

Forge Working Relationships with Security Operations Centers

In a recent webinar produced by FedInsider, panelists called for strengthening connections between state and local governments and suggested building joint security operations centers (SOCs) to do so while enhancing cybersecurity capacity.

Laine Cavazos, national state, local and education practice manager for Rubrik Public Sector, endorsed the idea of building out regional SOCs, as Texas is currently doing. “I see some other states that have regional SOC requests for proposals on the streets right now. Those would lay the groundwork for what could be delivered on a larger scale after the funding for the infrastructure money comes through.

Alaska CISO Chris Letterman agreed. “One of the ways that Alaska is exploring that concept is there is this idea of a joint cybersecurity operations center that’s being pioneered out of North Dakota, and a few other western states are involved in this thing.”

When it comes to basics, “Focus on getting a basic set of services in place, such as stock monitoring, detection, patch management and incident response plans, and then take it up a level with next steps, like two-factor authentication, vulnerability assessments, etc.,” Cavazos advised.

“Michigan’s CIO, Laura Clark, mentioned doing cyber assessments by county in Michigan to qualify them for funding once guidance is available, because you really have to understand where everybody is at and what you can do to best help them, as every county is going to have different levels of incomes and maturities,” she added.

This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.