Considerations for Impaneling a Statewide Planning Committee
The initial priority for all entities seeking funding is to prepare a representative and competent cybersecurity planning committee. Understandably, half of the members must be IT or cybersecurity professionals. But while technical acumen is important, a statewide committee will require input from professionals in many fields. Public health representatives and public education representatives must also sit on the committee, which is useful, considering hospitals and schools are often the targets of cyberattacks.
Committees should also include local leaders from as many jurisdictions within the state as possible. Notably, a quarter of the funding any state receives through the SLCGP must be allocated to rural communities. As such, it stands to reason that those communities should have a proportional voice on the committee. Additionally, since money is the primary target of many cyberattacks, financial experts and stakeholders in vulnerable institutions should also be included.
Committee members will have a tremendous responsibility and should be selected intentionally and carefully. Ideally, each committee will be an accurate representation of its state population. Once the committee is finalized, the next major hurdle before a state can apply for funding is the cybersecurity plan.
EXPLORE: How states can best spend cybersecurity grants.
A Cybersecurity Plan Must Address 16 Specific Elements
It is far easier to get a major initiative such as a statewide cybersecurity plan correct from the outset than to go back and rework a subpar plan. So, it’s critical that the planning and discovery phase be extensive and data-driven. There are 16 required elements for each state’s cybersecurity plan, representing a broad range of cybersecurity capabilities and best practices. When implemented over time, each element will substantially reduce an organization’s cybersecurity risk.
While states must address all 16 elements in the plan, not all elements must align with immediate activities or projects. Such determinations should be addressed in accordance with capability gaps and vulnerabilities identified through an objective assessment process. However, elements that pertain to password and identity management are highly likely to apply to all organizations that pursue this grant opportunity.
For instance, the first plan element is to “manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, and the information technology deployed on those information systems.” Privileged access management and credential management tools will be integral to achieving this element, as they enable organizations to gain operational control over application permissions, user account permissions and associated credentials. Additionally, as required by the SLCGP grant, auditing is a major benefit of implementing such solutions as improvements, and their impact can be generated and reported.