On Friday, September 16th, the Department of Homeland Security announced their new State and Local Cybersecurity Grant Program. This program is the first step by the federal government to push for better cybersecurity stances from state and local governments which have been found to be severely lacking. So what does this program entail?
While the link above provides most of the details, here is a quick synopsis as well as an idea about timelines:
$1 Billion total funding pool
The first point of note is to temper expectations about the funding pool. While a billion dollars sounds like a lot of money, keep in mind this is to be distributed over a period of 4 years to all 50 states plus 6 territories. This means the annual distribution will only average out to just under 4.5 million per state/territory. Ultimately, it's a lot of money, but also not a lot of money.
The good news however is that a minimum of 80% of funding is required to go to counties/cities/towns, meaning the state can't hoard the entire grant. Additionally, at least 25% of the total funding each state receives is required to go to rural communities meaning they won't be completely left in the cold either.
Creating a Cybersecurity Planning Committee and Cybersecurity Plan
There are two primary stipulations in the grant program. The first is the creation of a state-level committee, dedicated to cybersecurity planning. This committee would be tasked with drafting and approving a state-wide cybersecurity plan.
The cybersecurity plan is basically a container for what is currently in-place as well as blueprints for future plans. More importantly however it is supposed to contain requirements and metrics for local governments to be held to. In essence, it is a push for states to start requiring more out of local city/county governments in terms of security. Each state will likely have different requirements but it's likely they will share many similarities. This is important for anyone working in/with small town governments as it means there may soon be new requirements to adhere to.
Limited funding is currently available in FY2022 with additional funding becoming available in upcoming years. The initial funding is expected to mostly go towards creation of the previously mentioned committees and planning while subsequent years will be aimed more towards local counties/cities to help them adhere to what is in the plan.
For local governments, this means there will be about a 1-year timeframe before any notable funding is available. However, depending on how quickly a given state puts together a committee and plan, some funding could be available as early as now. Funding is also only available as long as it's being provided for adhering to your states cybersecurity plan. In other words, if a project would increase security, but that increase is not part of your state's plan, you won't be eligible for funding. This makes it important to pay attention to exactly is and isn't in your state's cybersecurity plan. If your state doesn't create a committee/plan, no town/county within the state would be eligible.
Just the first step
Most of us in the industry have known for some time the federal government has been eying improvement of cybersecurity postures in both public and private sectors. This is the first of what is likely to be more steps in the future to push the public sector side to improving their cybersecurity posture. That said, now is the time to start taking cybersecurity seriously, especially for local governments as (1) more changes will be coming down the pipe and (2) cybercriminals are starting to target small cities and towns more heavily, meaning having good security practices and process in place now can help avoid bigger problems.