The Infrastructure Investment and Jobs Act that President Biden signed last November represented a win for state and local governments (SLG), with the inclusion of a $1 billion cybersecurity grant program targeted at improving SLGs’ cybersecurity posture.
The SLG cyber grant program included in the Infrastructure Investment and Jobs Act gives the Department of Homeland Security (DHS) oversight of the disbursal of $200 million in grant funding for fiscal year (FY) 2022, $400 million in FY2023, $300 million in FY2024, and $100 million in FY2025.
With the bill now law, SLGs have an opportunity to apply for funding to boost their cybersecurity capabilities and the question becomes: where should that funding go first?
Officials from General Dynamics Information Technology (GDIT) say that SLGs who apply for cyber funding from the grant program should focus on inventory and identity management to have the most impact.
“The first thing I always say is inventory management; you have to know what you’re defending,” Seth Abrams, GDIT’s Federal civil cyber lead told MeriTalk last month. “The recent Log4j exercise that we went through is a perfect example of, ‘Do you have it running in your environment?’ Right, it’s a yes or no question. And if it’s a yes, they’ll fix it. But if the answer is, ‘I have no idea when you were even to look.’ Well, you know, let’s start there.”
Abrams said once SLGs can confidently say what is in their environment, then they should move to identity management: a major pillar in zero trust security architectures.
“The next defense that I would talk about would be identity management, where you need to know who’s in your environment, who has access to what,” Abrams added. “There’s a whole zero trust methodology, but getting started with zero trust is, who’s in the environment, do you have admins that have been fired three years ago and still have access?”
Dr. Matthew McFadden, GDIT’s vice president for cyber and distinguished technologist, said that in their experience, SLGs are less prepared to capitalize on cybersecurity funding and, thus, should prioritize creating resiliency and prioritizing establishing a secure and modern security architecture.
“A lot of times [SLGs are] looking to do more with less, and how can they prioritize the most efficient cyber investments,” McFadden told MeriTalk. “For the most part they don’t really have a large cyber workforce. They have maybe critical infrastructure responsibilities, and in some cases working with the private sector, and you have these huge cyber events.”
“So, I think from a priority standpoint, it’s really about driving that resiliency and understanding how you best prioritize driving a secure architecture that’s modern, but at the same time, being able to prioritize what we may know is an emerging threat,” McFadden added. “So, vulnerability management is probably an important part.”
In terms of how the funds should be dispersed, McFadden and Abrams agree that funding for programs should be structured around the risk but noted that there are multiple ways to define who is most at risk: looking at who is responsible for legacy cyber infrastructure or manages critical infrastructure for example.
“Obviously, it’s important to get the funding out as quickly as possible, as requested,” McFadden said. “A lot of the priority investments driving towards that zero trust strategy and architecture is important. There’s the Federal government and the cyber executive order and OMB (Office of Management and Budget) and CISA (Cybersecurity and Infrastructure Security Agency) all recognize that adopting this strategy and mindset is really core to driving towards a more modern, resilient cybersecurity posture.”
“So, I would definitely echo that the state and state local governments should do the same, even though they’re not necessarily mandated to do that,” McFadden said. “And that’s something that we’ve been really working hard to drive towards with our customers and helping to accelerate.”
Abrams concurred with the need to prioritize funding based on risk and brought it back to needing to always have an understanding of what is in your environment from an inventory standpoint.
“I would echo the risk part of this right and I [what] talked about understanding what you have access to, what you what you control, and what your data is worth to the outside,” Abrams said. “Understanding where you fit in the bigger picture allows you to really prioritize what you need to protect, and it goes back to risk.”
“So, in your application, or for money, it should be, ‘I need this money to do this activity to protect this resource. Here’s the risk of not doing it,’” Abrams outlined. “And if, if that’s what the government receives in terms of prioritization, … it becomes a scorable metric that says that they’re ready for this money. They know exactly what they’re going to do with it. And here’s what it’s going to.”