The passage and signing into law of the Infrastructure Investment and Jobs Act (the Act) provided historic levels of funding to states, territories, tribes and localities to address pressing infrastructure needs. While “traditional” infrastructure priorities that include roads and bridges were a central focus of the bill, broadband expansion and cybersecurity concerns also garnered substantial attention.
Most important to state and local governments who are considering how to improve cybersecurity is the inclusion of the State and Local Cybersecurity Grant Program. This new program authorizes the appropriation of $1 billion between 2022-2025 for the Department of Homeland Security to award grants to state, local and tribal governments to address cybersecurity threats and risks to their information technology (IT) systems. The Act funds the program at $200 million in fiscal year (FY) 2022, $400 million in FY 2023, $300 million in FY 2024 and $100 million in FY 2025, with an increasing state match required for each year beginning at twenty percent.
The Act outlines some of the main provisions of the program, including the requirement that states submit a cybersecurity plan to the Cybersecurity and Infrastructure Security Agency (CISA). These plans must contain several elements, including an explanation of how the state will manage, monitor and track information systems, as well as an overview of how the state plans to enhance preparation, response and resiliency of IT systems against risks and threats and how it will utilize best practices. Additionally, state chief information officers (CIOs) and chief information security officers (CISOs) are designated as the primary officials to manage and allocate funding. Perhaps the most important requirement (and the one raising the most questions for states and localities) is the stipulation that 80 percent of funding go to local, tribal and territorial governments.
While the fundamentals of the program are outlined in the Act, key questions about its governance remain that cannot be answered until a Notice of Funding Opportunity (NOFO) and accompanying guidance is released by CISA. It is through this guidance that states will learn, among numerous other things, whether they can provide services to local entities as part of the program’s 80 percent pass-through requirement, what auditing and control measures will be implemented in connection with the funding, and whether extensions of key deadlines will be granted. While there is no firm date for issuance of the guidance, stakeholders are hopeful that it will be released sometime this summer.
In the meantime, states have not been simply waiting for federal action. Many have been proactive in the absence of this critical guidance and are already working on developing their cybersecurity plans. Most states are planning a “whole-of-government” approach to using the grant through which they hope to provide services to local entities that will strengthen cybersecurity infrastructure. They are working to identify the cybersecurity needs at the local level, bringing local governments and other stakeholders into the planning process and developing metrics and benchmarks to help ensure these grant dollars are used successfully. But until CISA provides guidance for the grant, it is unclear whether this approach will be allowed.
At a recent conference of the National Association of State Chief Information Officers (NASCIO) state participants were asked what a successful State and Local Cyber Grant Program would look like. Key factors for a successful program include:
- Breaking down barriers between state and local government and fostering “the inertia of collaboration”
- Eliminating—or at least significantly reducing—open cybersecurity workforce positions
- Making localities aware of services offered by the state
- Involving both the governor’s office and the legislature in plan development and execution
- Developing metrics and data that can be used to establish how secure entities are from attacks
- Cultivating a broader understanding of cybersecurity attacks as a business risk, where all stakeholders work to reduce intrusions and vulnerabilities
- Planning for a program that is sustainable over the longer term and not focused solely on one-time investments
States don’t have time to wait to start thinking about how to keep their infrastructure and local governments safe from cyberattacks. They are forging ahead – coordinating across state agencies and with local governments to ensure that when the State and Local Cybersecurity Grant funds are made available, they’ll be put to immediate and effective use.
