State and local governments are increasingly a key target for attackers, but a lack of resources prevents many of them from taking the steps essential to fortifying their networks. Today’s release of the Notice of Funding Opportunity (NOFO) for the State and Local Cybersecurity Grant Program (SLCGP) will provide a much needed boost for state and local governments to improve their cybersecurity posture.
A recent study that Palo Alto Networks commissioned with the Center for Digital Government found that nearly 80% of state and local IT officials expect ransomware to be a persistent threat over the next 18 months. Yet, over half of state and local entities don’t have a ransomware incident response plan in place. That finding underscores why the SLCGP will be a game-changer for many jurisdictions across the United States.
The State and Local Cybersecurity Grant Program is a key provision of the Infrastructure Investment and Jobs Act (the Act), which President Biden signed into law in November 2021. It authorizes the U.S. Department of Homeland Security via the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) to award $1 billion in grant money over the next four years to state and local governments and other eligible entities to address cybersecurity threats and risks to their IT networks and systems.
States must pass through at least 80% of the funds to local governments, including cities, counties and school districts. Additionally, states must also dedicate 25% of the funds they receive to projects in rural areas. Each year will require a separate application and award.
The grant program requires that states match federal funding (starting at 10% in year one and growing to 40% in year four). However, that match can be waived if an eligible entity demonstrates economic hardship. More importantly, the matching requirement is substantially reduced and waived altogether in year one for multi-entity projects. This feature results in compounding savings over the life of the program. This deliberate incentive for multi-entity applications is designed to promote innovative solutions, such as joint security operations centers (SOCs), that will help promote a more robust cyber ecosystem, in the end.
The NOFO and accompanying guidance issued today means that states, the District of Columbia and territories can formally apply for their share of the $185 million of funding that has now been made available for FY 2022.
To participate in the grant program, eligible jurisdictions must submit detailed cybersecurity plans to CISA. These plans should include details on a state’s existing cybersecurity posture and how it would use funds to drive enhanced resilience, such as implementing threat mitigation practices and a continuous cybersecurity vulnerability assessments process.
To make the application process easier, CISA has provided an application template that states can use to apply for funding. This template includes a series of required cybersecurity elements to gauge current maturity and outline how proposed projects will increase capabilities.
To develop their plans, eligible jurisdictions must first appoint a Cybersecurity Planning Committee and then submit the proposed cybersecurity plan to that committee for approval. Chief Information Officers (CIOs) and/or Chief Information Security Officers (CISOs) must additionally approve the state-wide cybersecurity plans and concurrently be members of the committee. Many states were made aware of these requirements via the authorizing legislation and have begun informally establishing these committees and drafting plans in coordination with CISA regional representatives.
Once a state, local government or other entity receives a grant through the program, it is then required to use the funds for the following purposes:
- Implement its cybersecurity plan.
- Develop or revise its cybersecurity plan.
- Pay expenses directly relating to the administration of the grant (without exceeding 5% of the grant’s amount).
- Assist with activities that address imminent cybersecurity threats.
- Pay for any other appropriate activity determined by the Secretary of Homeland Security, acting through the National Cyber Director.
The SLCGP should enable jurisdictions across the United States to truly move the needle on improving their cybersecurity resilience. There are steps that states, local governments and other entities can take to make the most of the funding they receive through the program:
- Invest in trusted, enterprise-wide, cybersecurity solutions that deliver maximum visibility without increasing IT complexity.
- Move away from narrow, single-point solutions and implement more integrated platforms.
- Start or accelerate an evolution toward a Zero Trust architecture and a Zero Trust security approach for securing their users, applications and infrastructure.
- Work with a provider that has a comprehensive portfolio of cybersecurity solutions, public sector expertise and credentials, as well as a strong ecosystem of technology partners.
Aside from the actual grant dollars, perhaps the most important feature of the program is that it requires states to work across all levels of government to establish a more holistic and unified cyber ecosystem. In the end, this forcing function (not just the dollars provided) will result in significant dividends in helping states create more resilient systems.
Additionally, state and local governments may want to consider submitting multi-entity plans to the grant program, so they can fund projects that will benefit the most people in their states and beyond, as well as help with cost-sharing. An example of such a project is a multi-state SOC, like the one Palo Alto Networks helped North Dakota Information Technology set up for cybersecurity and threat-hunting across boundaries, including tribal lands. Cyber threats, of course, aren’t constrained by geographical boundaries. Designing security solutions that recognize this reality can increase visibility into the threat landscape and enable more integrated, layered defenses.
States only have 60 days, until 5:00 pm ET on November 15, 2022 to complete the application process for year one funding, so we encourage you to act swiftly. To learn more about how Palo Alto Networks can help your public sector organization move its cyber initiatives forward and build a more secure foundation for the future, reach out to our team today. We are committed to supporting clients that are in need of assistance in navigating the application process.