Security

Cybersecurity Grants Fund Shared Services for State Governments

Federal funding has gone to augmenting cybersecurity training, endpoint protection and more.

Pat Sullivan is a senior solution sales manager for security solutions at CDW.

During a meeting of the National Association of State Chief Information Officers (NASCIO) last year, New Hampshire CIO Denis Goulet said that his state was establishing shared services with funds from the $1 billion federal State and Local Cybersecurity Grant Program (SLCGP).

In fiscal year 2022, the first of the four-year program, New Hampshire received $2.5 million in cybersecurity grant funding from the U.S. Department of Homeland Security (DHS) out of the total $185 million available. New Hampshire has held onto those funds and spent them on services used by local governments rather than distributing the money directly to cities and towns.

Among the shared services touted by New Hampshire IT officials is multifactor authentication, a key technology for zero trust. “This project provides hardware tokens and professional services that municipalities, special districts and K–12 schools can use to implement multifactor authentication (MFA) in their technology environments. MFA reduces cyber risk by requiring users to provide two or more verification factors to access an application or an online account,” according to the New Hampshire Department of Information Technology.

The 2022 State of New Hampshire Cybersecurity Plan, a three-year strategic planning document, states, “Mechanisms will be implemented that provide for the control, administration, and tracking of access to, and the use of, information assets, as well as the protection of such assets from unauthorized or unapproved activity and/or destruction.”

Other states are following New Hampshire’s example and making the most effective use of their federal grant funds.

Click the banner below for more insights on implementing zero trust security.

State Agencies Prioritize Common Requirements

The 2023 State CIO Survey: The Force of Automation and the Reality of Modernization, published by NASCIO last year, notes that the SLCGP program was developed with a goal of dedicating 80 percent of its grant funding to local governments.

“States are allowed to provide services to localities, rather than direct funding, and the majority of states are adopting the shared services approach,” according to the survey. Less than 10 percent of states opted to provide direct funding to local governments.

During a recent webinar produced by NASCIO and the Public Technology Institute, experts acknowledged that state-run shared services models weren’t necessarily what many local governments anticipated when DHS instituted the SLCGP cybersecurity fund.

PTI Executive Director Alan Shark said, “Many local governments were led to believe that they were actually to get direct money, especially when 80 percent was supposed to be dedicated for them. And of course, the reality was, given the timing and the pressure to do something as opposed to nothing, in the end, states kind of reinterpreted that and basically said, 'Yeah, we’re going to give you that. It’s going to be for you, but it’s going to be by way of services.’”

State governments implementing shared services through federal grant funding have taken different approaches to doing so. For example, the Texas Department of Information Resources recently invited localities to apply for funding through March 14. It promulgated four solicitations that align with cybersecurity objectives established by the Federal Emergency Management Agency:

Governance and planning
Assessment and evaluation
Mitigation
Workforce development

Shark believes that Texas has a good model, where the state disbursed the money regionally in “a distributed network.”

“To me, that is what’s necessary. It’s not just the money. It’s that we need to have a policy and a structure that allows for this to be scaled appropriately,” Shark said.

EXPLORE: Staying one step ahead of cyber threats with a cybersecurity risk assessment.

Shared Services Support a Whole-of-Government Approach

DHS funded the cybersecurity grants with $374.9 million in fiscal 2023. Texas received about $8.5 million in fiscal 2022 and $17.4 million in fiscal 2023. Local governments eligible to apply include counties; political subdivisions; school districts; junior colleges; tribal governments; and cities, towns and villages.

NASCIO Executive Director Doug Robinson hailed this model as a good idea. “It makes eminent sense to say that we’re going to provide cybersecurity training services, and let the local governments consume that rather than each of them having to spend dollars,” he said. State governments can maximize the impact of those funds through centralized spending.

In its 2023 State CIO Survey, NASCIO asked state IT leaders what shared services they were providing local governments. The top three answers:

Cybersecurity training (51 percent)
Risk assessments (40 percent)
Endpoint detection (40 percent)

NASCIO identified the state cybersecurity initiatives “receiving the most attention” as endpoint detection, cybersecurity awareness training, and identity and access management adoption and expansion. Identity and access management is critical not only for ensuring authorized access to appropriate resources but also for restricting access to individuals no longer authorized for access.

In recent years, NASCIO has endorsed a whole-of-state approach to cybersecurity, which emphasizes collaboration and information sharing among state and local agencies within their geographic boundaries. It’s a powerful and effective idea, and the dominant state approach to spending SLCGP funds on shared services is a great way to make that idea operational.

This article is part of StateTech’s CITizen blog series.