Nov 29 2022

How to Successfully Use First-of-Its-Kind State and Local Cybersecurity Grants

Establishing a planning committee is a key first step to putting this federal funding to work.

In September, the U.S. Department of Homeland Security, through the Cybersecurity and Infrastructure Security Agency and the Federal Emergency Management Agency, announced a first-of-its-kind cybersecurity grant program for state, local and territorial (SLT) governments across the country.

In the wake of the widespread transition to hybrid and remote work and school environments, network perimeters have expanded and consequently exposed substantial vulnerabilities. Local governments, schools, hospitals and other organizations are particularly vulnerable because they often lack the workforce resources to sufficiently defend themselves. Given the increasing frequency of ransomware and social engineering attacks, the grant funding is critically important, and SLT governments must capitalize on it as effectively as possible.

The State and Local Cybersecurity Grant Program will provide $1 billion in funding over four years to support SLT efforts to address cyber risk. To apply for the SLCGP funding, governments must establish a cybersecurity planning committee and create a cybersecurity plan. While many state and local organizations are eager to satisfy the prerequisites to obtain these much-needed resources, doing so is no small task.

Click the banner below to receive customized content by becoming an Insider.

Considerations for Impaneling a Statewide Planning Committee

The initial priority for all entities seeking funding is to prepare a representative and competent cybersecurity planning committee. Understandably, half of the members must be IT or cybersecurity professionals. But while technical acumen is important, a statewide committee will require input from professionals in many fields. Public health representatives and public education representatives must also sit on the committee, which is useful, considering hospitals and schools are often the targets of cyberattacks.

Committees should also include local leaders from as many jurisdictions within the state as possible. Notably, a quarter of the funding any state receives through the SLCGP must be allocated to rural communities. As such, it stands to reason that those communities should have a proportional voice on the committee. Additionally, since money is the primary target of many cyberattacks, financial experts and stakeholders in vulnerable institutions should also be included.

Committee members will have a tremendous responsibility and should be selected intentionally and carefully. Ideally, each committee will be an accurate representation of its state population. Once the committee is finalized, the next major hurdle before a state can apply for funding is the cybersecurity plan.

EXPLORE: How states can best spend cybersecurity grants.

A Cybersecurity Plan Must Address 16 Specific Elements

It is far easier to get a major initiative such as a statewide cybersecurity plan correct from the outset than to go back and rework a subpar plan. So, it’s critical that the planning and discovery phase be extensive and data-driven. There are 16 required elements for each state’s cybersecurity plan, representing a broad range of cybersecurity capabilities and best practices. When implemented over time, each element will substantially reduce an organization’s cybersecurity risk.

While states must address all 16 elements in the plan, not all elements must align with immediate activities or projects. Such determinations should be addressed in accordance with capability gaps and vulnerabilities identified through an objective assessment process. However, elements that pertain to password and identity management are highly likely to apply to all organizations that pursue this grant opportunity.

For instance, the first plan element is to “manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, and the information technology deployed on those information systems.” Privileged access management and credential management tools will be integral to achieving this element, as they enable organizations to gain operational control over application permissions, user account permissions and associated credentials. Additionally, as required by the SLCGP grant, auditing is a major benefit of implementing such solutions as improvements, and their impact can be generated and reported.

$1 billion

The amount of funding the State and Local Cybersecurity Grant Program will provide over four years to support state, local and territorial governments to help address cyber risk.


Part of the fifth element of the plan must prohibit the “use of known, fixed, default passwords and credentials.” To achieve this goal without negatively affecting productivity and delaying the delivery of critical government services, organizations will need an industry-leading solution. A tool that replaces static credentials with dynamic, vaulted credentials that rotate upon use and that people never need to know will improve the workflow for users and dramatically shrink the attack surface.

Plan elements seven and nine speak to the importance of continuity of operations and communication, which are necessary components of a cybersecurity plan both during normal operations and in times of crisis. Organizations should seek out partners that can remotely manage sessions for internal IT teams, developers, contractors and vendors. Such tools can connect to any device, anywhere, without a VPN, while also gaining an unimpeachable audit trail. This audit trail is beneficial for compliance purposes and meets the reporting requirements of the cybersecurity grant.

DISCOVER: How state and local governments can defend against the top 10 types of malware.

The Potential to Bolster State and Local Resilience for Years

While it is a significant investment, this funding isn’t enough to completely mitigate cybersecurity challenges for state and local government organizations across the country. Therefore, it must be used strategically, and one of the best ways to ensure success is to collaborate with industry leaders while establishing the cybersecurity planning committee and cybersecurity plan. Industry leaders help devise robust cybersecurity plans for this grant program and serve as valuable partners to bolster the resilience of SLT public sector entities for years to come.

Furthermore, while every organization undoubtedly has unique needs, there are certain solutions all SLT organizations should consider. Because cyberattacks that abuse identities and privileges are so prolific, organizations should prioritize solutions for privileged access management and identity and access management. Additionally, given the modern remote workforce, secure remote access solutions will be incredibly useful for organizations seeking to defend their perimeterless networks.

Fortunately, this grant program is designed intelligently and with each organization’s unique needs in mind. Thanks to the roll-up at the state level, the participation and input of local representatives, and over 80 percent of the funding mandated to address challenges at the local level, this program is primed for success. It truly is a first-of-its-kind opportunity, so states shouldn’t hesitate to create their committees and plans for the available funding. Hopefully, similar grant programs will follow and build on the results of this program.

PeopleImages/Getty Images

aaa 1