It’s been nearly six months since President Joe Biden signed a $1.2 trillion infrastructure law, stuffed with new funding for roadways, transit, ports, broadband and, of particular importance to state IT leaders, a bit of money for cybersecurity improvements.
But even as some of the Infrastructure Investment and Jobs Act’s programs have started flowing — like a $1.5 billion round for regional transportation projects — state officials are still waiting for clarity on how the cyber grants will work, anticipating the moment when the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency will finally publish its guidance on the $1 billion, four-year program.
That guidance gap was a major topic of discussion this week when the National Association of State Chief Information Officers gathered in National Harbor, Maryland, just outside Washington. Over the past few months, CISA has revised its timeline on the cyber grant guidance when meeting with groups representing state and local leaders, all of whom want to know how they’ll have to apply for the funds, redistribute the bulk to their local subdivisions and report their progress.
But with the first $200 million meant to be awarded before the federal government’s current fiscal year expires Sept. 30, states will have a very brief window to get their programs going, and there are many questions that still need answering.
“Part of what we want to do as a state is understand where we are as a cybersecurity ecosystem,” Michigan CIO and Chief Security Officer Laura Clark said Tuesday during a NASCIO session.
As written in the infrastructure law, the cyber grant program requires each state applying to craft a cybersecurity plan, approved by DHS, and put up a 10% financial match in the program’s first year — an amount that’s due to increase by 10 percentage points in each additional year. And 80% of all money has to flow down to localities, meaning statewide offices will have to establish funding mechanisms of their own, determine if they’ll ask those towns and counties to put up matching funds themselves and ensure compliance in how the grants are used.
“We have a certain level of investment,” she said. “But trying to figure out if we can match at the state level, if we require to match at the local level, not only is it a struggle at the local level, it’s also a nightmare at the state level with the reporting.”
Michigan, Clark said, covers a landscape that runs from the rural fringes of the Upper Peninsula down to the urban and wealthy suburban areas around Detroit. That kind of geographic and economic diversity will require states to be cautious about how they fund local grant recipients.
“Oakland County” — a Detroit suburb — “is one of the richest counties, they have a pretty advanced IT and security program,” she said. “We can’t compare Oakland with a township in the UP.”
And as Alex Whitaker, NASCIO’s director of government affairs, pointed out during the event, $1 billion spread across the entire United States over four years will be “a drop in the bucket” of what states truly need to improve their overall cybersecurity postures.
‘One size fits all’ won’t fit
A CISA representative met with NASCIO members on Sunday during an off-the-record session, one of several meetings the agency and NASCIO have had since the infrastructure law passed.
During Clark’s session Tuesday, members listed their expectations and desires for the program. Frequent points included reminding the federal agency that states need wide latitude in applying the grants, not a “one size fits all” approach, and whether state-provided network security services can count as a local grant use.
“What we’re asking CISA is if states can offer services to locals,” Clark said.
When CISA does publish a notice of funding opportunity — now rumored for release sometime this summer — states will have 45 days to reply. Officials who spoke with StateScoop in National Harbor said they’re aiming to have their documented plans ready to go whenever that guidance drops.
“We’ve done a lot of research. We’ve actually got a lot of programs in flight I think we can leverage to move Oklahoma forward,” Oklahoma CISO Matt Singleton said. “I think we’re going to be in pretty decent shape when the final guidance comes out.”
‘Don’t expect everything’
But giving states flexibility in how they manage the grant programs will be the crucial piece, said Vinod Brahmapuram, who recently resigned as Washington state’s CISO.
“Every state is in a different maturity model,” he told StateScoop. “It’s very important for CISA to allow the states latitude to really find out what is important. If CISA gets very prescriptive with their guidance, that can in fact work against the outcomes we want to get as part of this effort.”
The cyber grant program’s first year, he said, will at best be a first step.
“Don’t expect the plans to be very detailed,” he said. “Ask: ‘What are they key issues I’m going to solve?’ Then don’t expect everything in the first dose.”
Colin Wood contributed reporting.