Ten months after the passage of its $1.2 trillion infrastructure spending law, the Biden administration on Friday launched a $1 billion grant program for state and local cybersecurity.
The Department of Homeland Security published its notice of funding opportunity for the grants, announcing a 60-day application window for states and territories to submit their plans for the four-year program. Administration officials said the grants will be overseen by the Cybersecurity and Infrastructure Security Agency, in tandem with the Federal Emergency Management Agency, which has long distributed DHS funds to states and localities.
State chief information officers and chief information security officers have been waiting months for instructions on the grant program. The first year of funding technically covers the federal government’s 2022 fiscal year, a period that ends Sept. 30. That wait led Doug Robinson, executive director of the National Association of State Chief Information Officers, to predict in July that an extension would be necessary on the first year of the new grants.
During a briefing with reporters Thursday, Homeland Security Secretary Alejandro Mayorkas and White House Infrastructure Coordinator Mitch Landrieu said $185 million will be distributed to cover fiscal 2022. Over the 60-day application period, states will submit their plans for their share of the program, including plans for how they intend to redistribute at least 80% to their local governments, as required by the infrastructure law.
A separate grant program for tribal governments will be unveiled later this fall, administration officials said.
“Many state and local governments face unique challenges and deserve support when defending against cyber threats, particularly against nation-states and well-resourced cybercriminals,” Mayorkas said. “Threat actors recognize and capitalize on these constraints by exploiting vulnerabilities and limited capacity to recover from devastating cyberattacks.”
The secretary rattled off several major ransomware incidents over the past few years, including attacks on Atlanta, Baltimore and Tulsa, Oklahoma, as well as last week’s attack against the Los Angeles Unified School District.
“The goal of this program is to address the enormous challenge that state, local and tribal and territorial governments currently face when defending against cyber threats,” Landrieu said. “With this funding, we are better protecting our most vulnerable communities, ensuring that resource constraints don’t hold them back from developing plans to safeguard their critical infrastructure.”
State CIOs and CISOs, who’ve held meetings with CISA officials over the past year, have had time to draft plans. Those plans are likely to vary widely from state to state, though a senior DHS official on the call said the federal government has a few objectives, including “effective implementation” of cybersecurity frameworks like the one published by the National Institute of Standards and Technology. CISA is also going be “relying heavily” on its rosters of state coordinators and regional advisers.
But the official also promised flexibility.
“We worked with states, territories and local communities to give them the right level of discretion,” the official said. “We’re hearing a lot of diverse views. Generally speaking, we think the program will fit those needs.”
Once the 60-day application window ends, FEMA and CISA will jointly review states’ proposals, with the goal of awarding funds by the end of the calendar year. But the first year of funding will take “a little different approach,” an official said.
“Because the law requires jurisdictions to establish cybersecurity plans, we want them to have time to establish those plans,” he said.
The expectation is that states would use their first year’s worth of grant funding to develop plans for the remainder of the program, with the final three years’ of funding released once those proposals are approved, the official said.
NASCIO and its members have been preparing for the grant program with an acknowledgment that $1 billion over four years, spread across the entire country, is a “drop in the bucket” compared to what states and localities need to defend themselves against a landscape that includes ransomware, foreign governments targeting software vulnerabilities and threats against critical infrastructure facilities.
A DHS official said the grant program will include CISA reporting back to Congress on how states are using the funds, and whether the grant program could continue.
“We’re going to use the execution of these first plans to understand how we’re making critical investments in our state and territorial partners,” the official said. “As we begin to see those changes occur, then we can begin to evaluate where those investments can go.”
Landrieu, the White House’s infrastructure lead, said the grant program is meant to be a “kickstarter” for states, and especially local governments, to bring cybersecurity to the forefront of their planning.
“It’s designed to help cities and small communities organize themselves,” he said. “Send a market signal from the federal government they need to harden their assets and have an all-hazards approach.”