Last Friday, the Biden-Harris administration announced a first-of-its-kind cybersecurity grant program for state and local governments. Funding for the grants came from last year’s Infrastructure Investment and Jobs Act and will allocate $1 billion over the next four years for the improvement and creation of cybersecurity programs. The Department of Homeland Security will implement the grant program, with Cybersecurity and Infrastructure Security Agency (CISA) serving as subject matter experts and Federal Emergency Management Agency (FEMA) administering the funds. State and local governments have until November 15, 2022 to apply.
Local governments have become frequent targets of attacks and have made news headlines for several years now. Funding and planning for preventing additional attacks, however, has been left largely at the local level. The city of Atlanta; Farmington, New Mexico; and the Colorado Department of Transportation were all victims of SamSam ransomware as far back as 2018. Responding to these attacks cost local taxpayers millions of dollars in response and recovery efforts. Now, federal taxpayers will provide preventative measures for governments that are awarded the grants.
Proper Oversight Required
Statutory conditions for governments receiving a grant include establishing a cybersecurity planning committee and plan. Since the committee must have appropriate cross-representation of security professionals, an already busy technology, security, and risk workforce is about to get a bit busier helping out their local public institutions. The committee must put together a plan that includes key governance and identification procedures and methods to assess and evaluate cybersecurity gaps. It must also address seven best practices:
- Multi-factor authentication
- Enhanced logging
- Data encryption for data at rest and in transit
- Ending the use of unsupported/end-of-life software and hardware that are accessible from the internet
- Prohibiting the use of known/fixed/default passwords and credentials
- The ability to reconstitute systems (backups)
- Migration to the .gov internet domain
Seek Security And Technology Providers That Understand Small Government
Security service providers contracted to build and document cybersecurity governance and conduct program assessments will immediately seek to benefit from these grants. Technology vendors providing tools to meet the newly laid out plans are next in line to cash in on the grants.
Ensure that potential vendors that provide security logging and analytics, encryption, and data back-up and recovery understand the unique needs of small and local governments. This includes items like budget and planning procedures, the typical municipal office structure, and decision-makers.
Purchases or improvements to fundamentals like training, vulnerability risk management, and detection technologies will be listed in government security plans, and suppliers will take note. Security and technology vendors with existing small and local government clients should link the grant opportunities to published guidelines on baseline security configurations like enabling multifactor authentication (MFA), strong password guidance, and end-of-life support. Pursue vendors that make it easier for governments to find and implement configurations to support security plans.
Small Governments Still Need To Put In The Work
Given the timelines and initial upfront governance activities, it will take time for local governments to organize and reap the benefits, but this will happen as programs strengthen. Governments should start by tracking and inventorying existing security tools, technologies, procedures, and plans.
These grants do not mean that government Standard Occupational Classifications (SOCs) will miraculously become fully staffed with cool gear, flashy screens on the walls, and best-of-breed tools. It’s important that they stick to the guidance on what CISA is looking for in the plans, which comes down to fundamentals like logging, MFA, strong passwords, and backups. This will eventually decrease the chances local taxpayers will need to cover ransoms or security breach recovery efforts.
Cyberinsurance premiums and ransomware demands are two notable ineligible use case for grant funds. Governments will still need to comply with, and obtain funding for, cyberinsurance premiums and their requirements, which could distract from the cybersecurity plans committees put forth. Committee members will need to understand cyberinsurance requirements to ensure that initiatives stay aligned. Governments planning to pay ransoms as part of their ransomware response plan should remove those details before applying for the grant.
Governments seeking to get started earlier can refer to some free resources: