The federal government’s new cybersecurity grant program continues to loom large for state and local technology officials, with several more mileposts to go before the money starts flowing, government IT experts said last week.
Speaking during a biannual online briefing about their organizations’ outlooks for the year ahead, Doug Robinson, executive director of the National Association of State Chief Information Officers, and Alan Shark, executive director of CompTIA’s Public Technology Institute, said it will likely be several more months before the Department of Homeland Security finally starts distributing the funds from the cyber grant program, which was created as part of the 2021 infrastructure law.
“Applications are in. States are storming and forming plans,” Robinson said.
After much anticipation, the application window for states to apply for the four-year, $1 billion grant program finally opened last September. While nearly every state applied by the Nov. 15 deadline, only 10 have submitted formal plans for how they’ll use whatever awards they receive. DHS’s Cybersecurity and Infrastructure Security Agency plans to distribute $180 million in the program’s first year.
The rules of the program stipulate that states must commit at least 80% of funds they receive to local governments. While that’s an appealing number, Shark said he’s worried that grant administration may be more about “checking off boxes” than reflective of how small and short-staffed local governments actually function.
Shark said that once local governments start applying for sub-grants from their states, they’ll have to complete forms that satisfy as many as 15 requirements.
“An example of best practices at its very best, and totally divorced from how local government operate,” Shark said. “There’s an enormous delta between how you go through the hoops and how you get what you really need.”
But both Robinson and Shark said they’re still hopeful the grant program will improve cybersecurity collaboration between state governments and localities, a goal both of their groups’ members have long prioritized.
“We have advocated for closer cooperation, but it takes more than just desire,” Shark said. “It takes a mandate. I have talked to many state CIOs over the years, and it’s not for lack of wanting to.”
At the state level, grants will be managed by new planning committees that include numerous officials beyond the CIO’s office. One thing that’s been cleared up in the past year is that the 80% of grant funding that states must send downstream doesn’t have be a monetary transaction.
“Some states have determined they are simply going to have an application to apply for those dollars,” Robinson said. “Other states have said they’re going to look at the opportunity here to deliver things like a cybersecurity training platform.”
But, he said, it’ll be a bit longer before the grant process gets to that stage.
“We’re months away from real dollars being on the streets,” Robinson said during the briefing. “Every state may approach it differently. For the most part I see a hybrid. The states and locals need to assess their environments before they start buying bright, shiny objects.”