New US DHS grant program can boost local governments’ cybersecurity strength

Local governments continue to grapple with ransomware and other cyberattacks that have crippled their school systems and halted other civic functions. The latest crisis in a long string of local government cyber incidents involves the Los Angeles Unified School District. After refusing to give in to ransomware syndicate Vice Society’s demands for payment, it is forced to watch as the cybercriminal gang releases publicly the stolen, sensitive data in a double-extortion attack.

It’s fortuitous then that the US Department of Homeland Security (DHS) announced last month the first-ever cybersecurity grant program for state, local, and territorial (SLT) governments across the country. Nearly $1 billion in funding for the program was allocated to DHS via the Infrastructure Investment and Jobs Act (IIJA) of 2021, which established the State and Local Cybersecurity Improvement Act “to help stakeholders across the country understand the severity of their unique local cyber threats and cultivate partnerships to reduce related risks across the SLT enterprise.”

Funding for the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) will be administered through the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA), with CISA acting as the subject matter expert and FEMA serving grant administration and oversight roles. FEMA issued a 93-page Notice of Funding Opportunity (NOFO) on September 16 that spells out the detailed steps and requirements that state, local, and territorial governments must take to receive grants under the programs.

Requirements for cybersecurity grant funding

To qualify for funding, SLTs have to demonstrate they have achieved four objectives:

• Objective 1: Develop and establish appropriate governance structures, including developing, implementing, or revising cybersecurity plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
• Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
• Objective 3: Implement security protections commensurate with risk.
• Objective 4: Ensure organization personnel is appropriately trained in cybersecurity, commensurate with responsibility.

In addition, they are encouraged to prioritize the following activities:

• Establish a cybersecurity planning committee.
• Develop a state-wide cybersecurity plan, unless the recipient already has a state-wide cybersecurity plan and uses the funds to implement or revise a state-wide cybersecurity plan.
• Conduct assessment and evaluations as the basis for individual projects throughout the life of the program.
• Adopt critical cybersecurity best practices.

Moreover, the following strategic elements that focus on adopting security best practices and advancing toward zero-trust architecture are required to be included in cybersecurity plans and individual projects:

• Implement multi-factor authentication.
• Implement enhanced logging.
• Data encryption for data at rest and in transit.
• End use of unsupported/end-of-life software and hardware that are accessible from the internet.
• Prohibit the use of known/fixed/default passwords and credentials.
• Ensure the ability to reconstitute systems (backups).
• Migration to the .gov internet domain.

On top of all these requirements, successful grant applicants must gather and report back to DHS a host of performance measurements proving they are executing their plans.

All 56 states and territories are eligible to apply for SLCGP funds. All 50 states, the District of Columbia, and the Commonwealth of Puerto Rico will receive a minimum of $2,000,000 each, equaling 1% of total funds appropriated to DHS in FY 2022, with the four territories receiving $500,000 each. The remaining amount will be apportioned based on the ratio each state or territory bears to the population of all states and territories, with California, for example, receiving $7.8 million and Vermont, on the other end of the spectrum, receiving $2.3 million.

The path to cybersecurity grant funding won’t be easy

Reception for the grant program among industry professionals has been positive. “The development of this grant program is a great step toward providing federal resources to help state and local governments build up their cyber security defenses,” Stacy O’Mara, senior director of government affairs at now Google-owned Mandiant, tells CSO.

Mike Hamilton, former CISO of Seattle and CISO of cybersecurity firm Critical Insight, likewise thinks the program fills a need and tells CSO that FEMA’s NOFO is “pretty straightforward stuff.” However, a lot of unanswered questions need to be addressed before the funds are granted to SLT governments. “Right now, the only thing being paid for is a few million dollars to go into each state to set up a planning committee,” he tells CSO.

“I think there’s an onus on these committees to not only do the straightforward thing, which is to identify the needs out in local government so that they can fund those, but also address the nuance around procurements, what products are going to be authorized, and how you get to be an authorized product. A lot of that is unclear.”

The state planning committees will have one year to plan, but local governments will only have 60 days after that to apply for the funds. “At that point, they probably need to have assessed themselves against a critical framework, like the NIST Cybersecurity Framework, so that there’s a justification for those requests.”

Holly Ridgeway, EVP, CSO at Citizens Financial Group, tells CSO that state and local and tribal entities generally have difficulty getting much funding and praises the new grant program, but, “There are a lot of protections that you need to be able to put in,” which could pose challenges for some states. “It’s tough to prescribe controls to an entity because each entity has to look at the risk. There might be some states with a higher risk than others, like New York,” she says. “The biggest challenge is putting together your game plan.”

Any improvement in local government security posture is a good improvement

The jury is out in terms of how much the grant program will improve the security posture of local governments. “It will definitely fix some of the problems that are the ones that are hanging out there really badly,” Hamilton says. “Like tech debt, that’s a bad one. Many local governments have technology that cannot be patched, and they have to continue using it just because they don’t have the funds to fix stuff like that. If they can use the funds to fix this, that is a very good thing.”

Hamilton thinks requiring local governments to adopt multi-factor authentication could be the biggest bang for the buck in the whole program. “Multi-factor authentication is going to be a big deal. I do think it will move the needle. It will raise the bar, so we don’t have so much low-hanging fruit out there.”

Even if the grants help local governments improve their cybersecurity standings through initial upgrades, they don’t address any associated increases in long-term operating costs due to those improvements. “It’s a one-time grant,” Ridgeway says. “It’s not funding into perpetuity. It might get things in place, but you still have to figure out what your run costs are. If you purchase technology with this grant money and bring on additional resources to help implement it, you still have to have the care and feeding of that,” which hasn’t yet been reckoned for in DHS’s plans.

Even so, Ridgeway is optimistic that the grants can only improve cybersecurity at the local government level. “As a cybersecurity professional, I think any improvement they can make is a good improvement.”

Mandiant’s O’Mara thinks the program’s structure will help local governments build and mature their cybersecurity programs over time. “The required cybersecurity plans under the program will be approved for a two-year period, and then subsequently reviewed annually to ensure entities are building on investments from previous award years, thereby triggering an evolving cybersecurity posture,” says O’Mara.

States and territories that want to participate in the grants program have until November 15 to apply for the planning grants. DHS plans to notify grant recipients of their funding status by November 30, with the anticipated award dates no later than December 31.