From the lone hacker to nation-state operatives, government agencies from the Federal level down to local municipalities are under constant threat of a cyberattack. In recent years, the Federal government has responded by sharing guidance and information, but that only takes budget-strapped state and local government entities so far.
To help state and local governments overcome their resource challenges and secure systems against attacks, Congress allocated $1 billion in funding from Infrastructure Investment and Jobs Act (IIJA) for the State and Local Cybersecurity Grant Program, which is administered by the Department of Homeland Security. MeriTalk recently sat down with Norman St. Laurent, cybersecurity specialist at Cisco, to discuss how state and local technology leaders can tap into this grant funding for their cybersecurity initiatives.
MeriTalk: What types of cybersecurity projects are covered under the State and Local Cybersecurity Grant program?
St. Laurent: This really is a once-in-a-generation funding opportunity for state and local governments to upgrade systems and protect networks against cyberattacks, including ransomware, which has plagued local governments over the past few years. The funding requirements are pretty broad. The key is that projects need to meet the funding objectives, which include improving capabilities to respond to cyber incidents and ensuring continuity of operations in case of an attack – so initiatives that build resiliency. Any project must also include continuous testing, evaluation, and structured assessments. Essentially, anything from upgrading legacy technology to adopting zero trust tools, introducing automation, and adding backup storage capacity can be covered as long as you can demonstrate the project meets the funding objectives. Another interesting aspect of the funding is that it covers hiring and training cybersecurity personnel to ensure agencies have the right cybersecurity skills on their teams.
MeriTalk: What entities are eligible to apply for a grant?
St. Laurent: This funding is designed specifically for state and local governments – all 50 states and six territories are eligible for funding. The application process follows a specific path, though. Individual agency CIOs can’t apply. The only entity eligible to apply is the State Administrative Agency, which is designated by the governor in each state and territory. Once funding is awarded, the State Administrative Agency officials must give at least 80 percent of the money to local or tribal governments. A minimum of 25 percent of those funds must be go to rural areas.
MeriTalk: What steps do governments have to take to be considered for funding from this program?
St. Laurent: The Department of Homeland Security (DHS), which oversees this grant program, outlined specific requirements that must be followed in order to apply for a grant. States must create a Cybersecurity Planning Committee, which identifies and prioritizes state-wide cybersecurity initiatives. DHS has specific requirements for who should sit on the Cybersecurity Planning Committee. The other key requirement is the development of a Cybersecurity Plan, which must be approved by the Cybersecurity Planning Committee.
MeriTalk: What are the requirements for the Cybersecurity Plan?
St. Laurent: The Cybersecurity Plan is designed to be a strategic planning document that details how cybersecurity goals and objectives will be met and how the grant funding will be used to support those goals and objectives. Remember – the goal of this funding is to improve state and local cybersecurity. The best way for governments to protect against today’s increasingly sophisticated cyber threat environment is to adopt cybersecurity best practices and move toward a zero trust architecture. The White House has mandated zero trust at the Federal level through the Executive Order on Improving the Nation’s Cybersecurity. With this grant and the requirements of the Cybersecurity Plan, DHS is pushing states to follow suit.
The plan requirements include 16 elements that represent a broad range of cybersecurity capabilities, many of which support a zero trust architecture. These include implementing multifactor authentication and advanced logging, building data encryption for data at rest and in transit, and prohibiting the use of fixed and default passwords and credentials. Other required actions include discontinuing the use of end-of-life hardware and software that are accessible from the internet, migrating to the .gov domain, and implementing system backups.
MeriTalk: What should governments watch out for as they create their plan?
St. Laurent: The key is to take a holistic approach to cybersecurity. That’s why the applications must come from a single state agency, be approved by a single Cybersecurity Planning Committee, and be submitted with one overarching Cybersecurity Plan. This is a much different approach than other funding available through the IIJA, where individual state and local entities can apply for grants directly. DHS is looking to break down the traditional silos that are typically part of state and local governments, so be sure to look at security policies and tools holistically to improve your chances of having your funding application approved.
MeriTalk: If a government has a cybersecurity project already underway, can they still apply for a grant to help accelerate that project?
St. Laurent: The program application requirements are flexible and address various stages of security readiness. As long as the existing project is included in the Cybersecurity Plan and demonstrates how the funding will address the future state of the project, then it is eligible.
MeriTalk: If the grant application is approved, what are the next steps?
St. Laurent: The next steps are all outlined in the Cybersecurity Plan, which really becomes the implementation playbook. States follow the roadmap outlined in their plan. It’s the Cybersecurity Planning Committee’s job to ensure that happens. The planning committee will submit regular progress reports to DHS.
MeriTalk: How can Cisco support agencies during the grant application process?
St. Laurent: Cisco understands the unique state and local government environments and the urgent need to improve cybersecurity. We can advise leaders at every step of the grant application process. Our teams can help develop the Cybersecurity Plan, ensuring that all capabilities requirements are addressed and advising on how to prioritize spending. Once funding is approved, our teams can provide guidance on implementing elements of the Cybersecurity Plan through personalized help sessions and step-by-step implementation instructions. Our ready-built suite of proactive and reactive incident response services can deliver the visibility, resiliency, and threat intelligence that go above and beyond plan requirements. We can also monitor progress and quantify the project’s success with metrics that support reports that must be submitted to DHS. The full range of Cisco’s grant funding support can be found on Cisco’s website.