State and local governments will be receiving dedicated cyber grants for the first time in 2022, now that the new bipartisan legislation has passed. While previous federal programs offered the potential for grants for cybersecurity projects in state and local governments through the Cybersecurity and Infrastructure Agency (CISA), these grants were not previously dedicated (required) to improving cybersecurity.
On November 15, 2021, President Joe Biden signed into law the Infrastructure Investment and Jobs Act (IIJA). The new act provides $1 trillion of federal money to strengthen the nation’s infrastructure and fund other key programs and initiatives. IIJA allocates $2 billion to strengthening the nation’s cyber defenses, including $1 billion for grants to improve state and local government cybersecurity.
In addition to state and local cyber grants, the IIJA provides:
- $250 million to fund the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program.
- $250 million to develop “advanced cybersecurity applications and technologies for the energy sector.”
- $20 million per year for fiscal year 2022, and every year thereafter until 2028, to create a Cyber Response and Recovery Fund to help public and private entities respond to a significant cyber incident.
- $157.5 million for the US Department of Homeland Security’s Science and Technology Directorate (DHS-S&T) to fund “critical infrastructure security and resilience research, development, test, and evaluation.”
- $35 million for the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) for “risk management operations and stakeholder engagement and requirements.”
Joseph Marks from the Washington Post reported that for the cybersecurity grant program, 1% will go to each state and 0.25% will go to all four US territories. Another 3% will go to tribal governments.
The rest of the funding will be split between states based on their population size and specifically their rural population numbers. States are required to devote at least 25% of the funding to cyber programs in rural areas.
These grants seek to enable best-practices nationwide in areas that have traditionally been underfunded as compared to the private sector. The IIJA appropriates $200 million in federal grants under this program for fiscal year 2022; it appropriates $400 million, $300 million and $100 million, respectively, for fiscal years 2023, 2024 and 2025.
As a condition of the grants, state and local governments must provide matching funds from their own coffers, with the federal share capped each fiscal year. For fiscal year 2022, the federal share of the cost of an activity carried out under the grant program cannot exceed 90%, and this amount goes down 10% every year.
In addition, to receive the federal funds, grant applicants must develop a Cybersecurity Plan, subject to approval and periodic review by federal authorities. Such plans must describe the applicants’ approach to handling a comprehensive list of cybersecurity-related control measures.
The specific guidance on the new grant process has not yet been released by CISA, but guidance on past grants can be found here for FY20 Preparedness Grant Guidance. Some of that general guidance includes:
“As the dependence on and vulnerabilities to information technologies continue to expand, State, Local, Tribal, and Territorial agencies must keep pace by deploying consensus cybersecurity best practices. Involve Chief Information Officers and Chief Information Security Officers as you consider the following:
- Fundamentals. Focus on training staff, understanding who is and what is on your networks, protecting your data, and planning for resiliency, including cyber incident response plans at state and local levels.
- Investment. Invest in transparent, enterprise-wide capabilities that minimize attack surface, disrupt malicious connections, and ensure recoverability of normal operations.
- Holistic View. Take regional or state-wide approaches, increasing effectiveness and efficiency.”
Coverage of Infrastructure Investment and Jobs Act (IIJA)
Here are some of the helpful articles with specifics in IIJA:
CNN: Bipartisan infrastructure plan 57-page summary
Meritalk: White House Tallies $2 Billion of Cyber Funding in Infrastructure Plan
Government Technology Magazine: Dedicated State and Local Cyber Grants Are Finally Arriving
MarketWatch: How the infrastructure bill’s $65 billion in broadband spending will be doled out
This last article describes how: “The Biden administration’s $1 trillion infrastructure spending package includes $65 billion for broadband access to improve internet services for rural areas, low-income families and tribal communities. Most of the money would be made available through grants to states.”
Praise for Dedicated State & Local Cyber Grants From NASCIO
“We are elated,” Matt Pincus, director of Government Affairs at the National Association of State Chief Information Officers (NASCIO) told The Hill.
Indeed, NASCIO released their own statement on the passage of the Infrastructure Investment and Jobs Act:
“We are grateful for the passage of the bipartisan Infrastructure Investment and Jobs Act, which includes the $1 billion State and Local Cybersecurity Grant Program. NASCIO applauds Congress and the Biden administration for numerous provisions that aim to improve and secure our nation’s digital infrastructure, including significant funding for broadband.
“Dedicated cybersecurity funding for state and local governments, with an emphasis on increased collaboration between state and local governments with our federal counterparts, has been a long-standing priority for our association. The creation of this grant program is a significant step toward improving the cyber resilience for state and local governments across the country. The state CIOs and CISOs look forward to playing a significant role in the implementation of this program.”
