State

Cyber grants are a ‘game changer,’ CISA leader tells Congress

CISA Executive Director Brandon Wales told Congress a goal of the new program is to get state and local governments to a "common baseline."

By Benjamin Freed

November 17, 2021

Executive Director of the Cybersecurity and Infrastructure Security Agency at the U.S. Department of Homeland Security Brandon Wales speaks at a hearing with the House Committee on Oversight and Reform in the Rayburn House Office Building on Nov. 16. (Anna Moneymaker / Getty Images)

The cybersecurity grants for state and local governments authorized in the $1.2 trillion infrastructure package President Joe Biden signed into law this week are expected to greatly improve the postures of the entities that receive them, a senior Department of Homeland Security official told members of Congress Wednesday.

“We believe the cybersecurity grants for state and local communities is really going to be a game changer in dramatically enhancing the security of our communities throughout the country,” Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency, said during a House Homeland Security Committee hearing on the United States’ abilities to combat ransomware.

While the hearing focused on the broader threats extortion malware poses to businesses and critical infrastructure, Rep. Yvette Clarke, D-N.Y., who chairs the committee’s cybersecurity panel asked Wales how DHS is planning to stand up the grant program, which will parcel out $1 billion over the next four years. While the grants will technically be administered by the Federal Emergency Management Agency, which has long been DHS’s main grant-making unit, the Infrastructure Investment and Jobs Act calls on CISA to serve in an advisory capacity — work that Wales said has already started.

“Even before the bill was signed by the president, we had been working with FEMA to begin to map out what the plan is to roll these grants out over the next year,” he said. “Within CISA we are working to identify the priorities we want states and locals to focus on.”

The infrastructure law requires each state to develop a comprehensive cybersecurity plan to qualify for the grants, and about 80% of the total funds will eventually make their way to local jurisdictions. Wales told Clarke that leaves CISA with several questions to answer before the money begins flowing, which is expected in 2022.

“What does the planning architecture need to look like as states develop their cybersecurity plans?” he said. “What are the priorities as that money flows down into local communities? And making sure we are thinking through how we get CISA’s field-based personnel to support states and locals as they plan and implement the funding that will come along with these grants.”

Wales also said one goal will be to get grant recipients to a “common baseline.” That’s likely to include some cybersecurity steps that are commonly described as fundamental — multi-factor authentication, limiting the number of privileged user accounts on a government network, patching vulnerabilities as soon as they’re identified and running regular risk assessments. But those are sometimes unaffordable for the small, local governments that stand to benefit from the new grant program.

“All these areas take time, effort and money,” Rita Reynolds, the chief information officer for the National Association of Counties, told StateScoop last week.