This money is coming through the State and Local Cybersecurity Grant Program (SLCGP) — signed roughly two years ago by the White House — to states, territories and local governments. As part of the dispersal, recipients have had to establish cybersecurity planning committees and also submit spending plans ahead of the deadline. To date, federal officials say they have received 30 plans, with 28 earning approval while two are currently under review. As many as 24 other submissions may still be on the way.
For many, this planning process is nuanced. The funding will span four years, which means some stakeholders are deciding whether to fund projects that end in that time or to put money toward long-running initiatives that will eventually need other support. States also must ensure at least 80 percent of their grant money goes to local government and so must find the best way to stretch across what could be hundreds of entities. They might decide to directly pass money to local government-proposed projects, provide statewide shared services or procurement vehicles, or a mix.
Maryland, for example, has worked through some of these questions. The state tweaked an earlier draft with advice from the federal Cybersecurity and Infrastructure Security Agency (CISA). It also is giving its relatively new CISO a chance to review the document in light of year 2 requirements released this month, said Netta Squires, the state's director of local cybersecurity.
All these plans must address several goals intended to bring governments up to a base-level cyber posture, like getting all state and local entities to use multifactor authentication, .gov domains and data encryption. To inform planning, Maryland’s committee surveyed local governments.
“We came back with some very alarming results, showing that the majority of Maryland jurisdictions that responded to the survey don’t even have a dedicated cybersecurity person,” Squires said. “It's hard for someone who's not a security person to even know what's wrong from a security perspective.”
The committee realized it needed an “I don’t know” answer in its survey. And some jurisdictions still didn’t respond, likely because they didn’t know how, she said. But these missing or “I don’t know” responses highlighted gaps.
While the SLCGP money won't necessarily be enough to provide every jurisdiction with its own information security officer, the committee has discussed potentially funding a shared information security officer program, Squires said. Other ideas include shared services for EDR, and vulnerability and asset management. While nothing is finalized, the planning committee is interested in providing shared services that the state would maintain after the grant runs out as well as in offering subgrants to local governments to fund projects and purchases aligned with SLCGP goals.
States may retain 20 percent of the grant monies, and Maryland's committee has discussed using this for projects that boost state capacities in ways that also benefit local entities. That might mean expanding the security operations center (SOC) team, which could then help more stakeholders.
Delaware’s published plan, meanwhile, envisions developing cybersecurity consulting programs and virtual CISOs. Virginia’s plan would create a statewide information sharing and analysis center (ISAC) — the Virginia-ISAC — to “assist in the prevention, detection and response areas for those SLTT organizations that don’t have the expertise or resources for a fully staffed information security program.” The ISAC would share threat information and support incident coordination, among other functions.
Squires noted that for states wishing to launch long-term projects, the SLCGP is designed to provide seed money and ease states into taking over the funding, via match requirements that increase each year.
But the money itself isn’t the big point of the SLCGP, Squires said.
“One of the biggest things that this money can do is really help bring everyone to the table,” Squires said.
Yes, the larger — and perhaps lasting — impact is bringing stakeholders together to create a stronger security environment.
The federal government, meanwhile, has recently announced some details about year 2 of the SLCGP.
First-year initiatives are meant to help recipients set up governance structures to improve cyber incident response, among other things, per CISA. Year 2, however, emphasizes continually assessing cyber postures and identifying areas to improve, training personnel on cyber and adopting relevant security measures.
Fifty-four of the 56 eligible entities opted to participate in year 1, with Florida and South Dakota declining. The two states could join in year 2, but they’ll need to create a grant planning committee and cybersecurity plan, like their peers.
In emails, spokespeople from the South Dakota’s governor’s office and Bureau of Information and Telecommunications cited concerns about the “administrative burden” of the grant, including setting up a committee, unclear requirements and the cost of maintaining projects beyond the grant’s four-year lifespan. South Dakota did not entirely close the door to participating.
“South Dakota will continue to evaluate the program as more information is made available,” an IT spokesperson said.
Florida officials did not respond to questions about whether the state intends to participate.
Year 2 applications are open until Oct. 6.