Cyber grants can’t be ‘once and done,’ NACo leader says
With President Joe Biden’s expected signature of a $1.2 trillion infrastructure bill, state and local governments are about to get more federal assistance for cybersecurity efforts than ever before.
Over the next four years, the Department of Homeland Security will dole out $1 billion in new grants to states and localities to help shore up their network defenses, which have been battered by ransomware attacks and stretched thin by the remote-work necessities of the pandemic. It’s a huge step up from DHS’s previous level of support for state and local cybersecurity — in 2021, only $75 million of the Federal Emergency Management Agency’s flagship grant program was specifically tailored for cyber expenditures.
About 80% of the new grant money is earmarked for local governments, and of that, about one-quarter must go to rural counties, according to the text of the Infrastructure Investment and Jobs Act. And even though it will be several months before the grants start flowing, state and local governments are already discussing how to use them.
“In advance of any real tangible funds, we had a lot of discussions with county IT leaders,” Rita Reynolds, the chief information officer for the National Association of Counties, told StateScoop.
Meanwhile, the $1 billion expected between now and 2025 might only be a down payment on what state and local governments need to bolster their cybersecurity. The grant program in the infrastructure bill is pared-down version of the State and Local Cybersecurity Improvement Act, which calls for $500 million annually but has failed to become law despite being approved by the House multiple times, most recently in July.
“What I can tell you is it shouldn’t be once and done,” Reynolds said.
Reynolds said that in August, NACo sent its members a list of 11 best practices that are “very critical” to shoring up their IT defenses. At the top of that list were features such as multi-factor authentication, domain-based email authentication protocols and migration to the .gov top-level domain. While those practices are all well-trodden territory in cybersecurity discussions, Reynolds said, they can be daunting to implement for small counties — which are among the easiest targets for malicious actors.
“All these areas take time, effort and money,” she said. “Multi-factor authentication is costly for most counties. It’s not just end users. You need it for VPN logins and contractors.”
Counties also face financial and personnel challenges in hiring consultants, managed service providers and on-site staff, she said.
And while the Cybersecurity and Infrastructure Security Agency — which will advise FEMA in doling out the new grants — has waived the fees for .gov registrations, Reynolds said local governments making the move incur incidental costs.
“It’s a process where you can quickly change the domain name, but then you have to change the collateral, like stationery and marketing materials,” she said. Though she added that she has not heard of DHS rejecting those costs as acceptable cybersecurity expenditures.
Counties also need to prepare to navigate how grants are distributed. While Reynolds said she had hoped the program would be structured so that money can go directly to local governments, FEMA sends money first to state governments (or tribal and territorial governments) which then redistribute it to their localities. The infrastructure bill also requires each state to submit a comprehensive cybersecurity plan. Currently, just one-third of states have line items for cybersecurity in their budgets, according to the National Association of State Chief Information Officers.
Reynolds noted that the bill also stipulates that grant money can’t be given to localities in-kind by a state routing it through, say, an emergency management agency. “It has to be actual dollars,” she said.
