New federal playbook targets cyber grant-funded critical infrastructure projects
Cyberattacks on critical infrastructure have risen to such an alarming scale that the Cyber Infrastructure and Security Agency, and the Office of the National Cyber Director, on Tuesday published a guide for federal agencies that manage cyber grant programs and state and local governments that receive cybersecurity funding.
The 75-page guide, titled Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure, aims to help operators of critical infrastructure build cyber resilience into their grant programs. The guide provides templates, models and recommendations that better prioritize cybersecurity tools.
For instance, the playbook recommends federal grant managers incorporate cybersecurity throughout the grant management lifecycle, such as by including specific language in their notices of funding opportunity and terms and conditions.
The guide includes templates for applicants to use when creating their cyber risk assessments and project cybersecurity plans, and a list of cybersecurity resources available to state and local grant recipients.
“As organizations seek to take advantage of historic infrastructure grants, it’s critical to ensure the security and resilience of this next generation of American infrastructure in every community across our nation,”CISA Director Jen Easterly said in a press release.
Critical infrastructure contains 16 sectors, including energy, communications, information technology, transportation and water utilities. Their assets are considered so vital to the United States that attacks could have cascading effects on national security, public health and safety.
Many state, local, tribal, and territorial governments are the first line of defense against cybercriminals seeking to disrupt the operations of critical infrastructure, but they’re often short of cybersecurity funds.
One industry report last August called cyberattacks on power grids, communication systems, transportation networks, ports and other critical infrastructure “the new geopolitical weapon,” because the attacks are often linked to foreign nations.
“As we make investments in rebuilding and updating our infrastructure through funding such as made available from the Investing in America agenda, we have the opportunity and obligation to build in cybersecurity by design. We need infrastructure projects to be shovel ready and cyber ready,” National Cyber Director Harry Coker Jr. said in the release. “That’s why we’re proud that the guidance released today will serve as a helpful resource to help our partners and recipients build cybersecurity into infrastructure projects from the beginning.”
CISA’s last playbook, released over the summer, was also aimed at improving the security of critical infrastructure. It included processes and table top exercises to help the public and private sectors minimize the effects of cyberattacks on their communities, reduce the risk of disruption to critical services and minimize system restoration costs.
Both playbooks build on the security agency’s infrastructure resilience planning framework, which provides guidance on how local governments and the private sector can work together to improve the security and resilience of the nation’s critical infrastructure.